[Aptitude-devel] Bug#797270: aptitude: fails to download changelogs when $TMPDIR is readable by root only

David Kalnischkies david at kalnischkies.de
Mon Aug 31 11:03:46 UTC 2015


Control: clone -1 -2
Control: reassign -2 aptitude 0.7.1~exp1-1~apt1.1~exp9
Control: retitle -2 aptitude: use pkgAcqChangelog to download changelogs
Control: severity -2 wishlist
Control: reassign -1 apt 1.1~exp9
Control: retitle -1 apt: ignore for _apt inaccessible TMPDIR in pkgAcqChangelog
Control: severity -1 minor
Control: tags -1 + pending

Hi,

(I am gonna talk about apt first, aptitude further below)

On Sat, Aug 29, 2015 at 07:48:05PM +0200, Tollef Fog Heen wrote:
> ]] Axel Beckert 
> 
> > Because APT 1.1~exp* uses an unprivileged user named _apt for
> > downloads if running under root privileges.
> 
> You can't generally use $TMPDIR for inter-user IPC, so in that case,
> create an IPC directory in a well-known location and use that instead.
> 
> I don't think this is a bug in libpam-tmpdir at all.

I guess it was me who Axel heard as I am in a love-hate relationship
with libpam-tmpdir and umask 027. I like using them, but run into all
sorts of "interesting" problems so I regularily revert to the defaults
and I did so again before DebCamp and talked with Julian about it – and
about this changelog problem with root – you have pretty much the same
problem with 'apt-get changelog', just that 'our' users are better
trained and usually don't run it as root (users in this sentence are me
and our testcases, so I regularily forget about it: As an example: root
changelog was broken entirely until ~exp11 as the directory had the
wrong access permissions…). Long story short: not a bug in libpam-tmpdir.


Anyway, GetTempDir() currently deals with the fact of TMPDIR not
accessible by the current user and if so falls back to /tmp, which works
just fine for e.g. our gpgv method [we don't clear TMPDIR
unconditionally on user change as that kinda defeats the point of
setting it]. The only problem with the changelog download is that while
the temp directory we download to is set up, we are still root… (see the
example above).

I have pushed some changes to git fixing this issue explicitly by
ignoring TMPDIR if the effective user can't access the directory (and
ensuring we actually have the euid of _apt at the point we check) for
apt, but that isn't fixing aptitude.


Further, I moved a previously private method we used for disabling of
privilege drop for some apt-get commands into the pkgAcquire::Run method
itself, so that the acquire system is now disabling the user flip if it
figures out that a directory it is supposed to download to hasn't the
needed rights. This is a bit hacky as it effects all files in the
fetcher and it doesn't know if we will end up dropping privileges at
all, but good enough for now – a warning is generated to highlight that
frontends should evntually deal with this properly rather than causing
the acquire system to disable security features… (and with frontends,
I mean apt too in this case).

Commits:
https://anonscm.debian.org/cgit/apt/apt.git/commit/?id=dd6da7d2392e2ad35c444ebc2d7bc2308380530c
https://anonscm.debian.org/cgit/apt/apt.git/commit/?id=7c8206bf26b8ef6020b543bbc027305dee8f2308


So, workaround until this hits the archive: Set the option
Debug::DropNoPrivs to true (preferable on the commandline) and you are
back to pre-1.1 libapt behavior with everything run as root – or in case
of apt just don't download changelogs as root for a while.


And now finally (that mail really turns out ot be long…) some advice for
aptitude: The tempdir in the error message is created by you guys, so
you have more or less the same problem as I described further above with
apt and TMPDIR – just that the second change I described above will make
it at least work as before.

apt 1.1 got the specialized acquire item pkgAcqChangelog, which
(surprisingly) deals with generating the changelog URI as well as
downloading the changelog optionally staged in a temporary directory.
Obviously, aptitude isn't using this yet, but I would recommend it
mostly because I implemented it based on a wish (#739854) to centralize
this logic – and that would magically solve all your (changelog)
problems for ever by making them my problems. ;)

As this might turn out to be some work, I would at least suggest to
change src/generic/apt/pkg_changelog.cc to using a pkgAcqChangelog::URI
method to generate an URI instead of hardcoding it for libapt >= 5.0.

Note btw that, while looking into /usr/share/doc is a nice idea which
I want to implement eventually, some distros (e.g. Ubuntu if I remember
right) truncate the changelog file they ship in the package, so for
these distros there should at least be an option to get the complete
file from the online source instead of from disk.


Best regards

David Kalnischkies
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/aptitude-devel/attachments/20150831/2e7fdd1b/attachment.sig>


More information about the Aptitude-devel mailing list