On Fri 25 Oct 2024 at 09:19:30 (-0400), eben@somewhere wrote:
> > Not using synaptic, I don't know why that path was chosen. But
> > you'd need world-execute all the way down from /root itself.
>
> Well the chmod thing is not acceptable.
Totally reasonable; any world-readable file in /root
would be exposed to being copied out by anybody.
> > Well, I'll admit that I'm mystified as to what the 283682-byte file
> > called tmp_sh actually is, and how it was obtained.
>
> eben@cerberus:~$ sudo file /root/.synaptic/tmp/tmp_sh
> [sudo] password for eben:
> /root/.synaptic/tmp/tmp_sh: PNG image data, 825 x 861, 8-bit/color RGBA,
> non-interlaced
>
> I asked for a screenshot of some package, and that appears to be it. As to
> why it's there, couldn't say. I don't need to save it for posterity or
> anything.
If it's a screenshot, it was presumably taken over two years ago.
I have no idea why it's involved in the current discussion, but
it does show the value of pasting commands and their output into
posts, as so often mentioned here.
When I receive this warning, the surrounding context relates to
the /package/ file mentioned in the warning:
# apt-get install ./yt-dlp_2023.01.06-1_all.deb
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Note, selecting 'yt-dlp' instead of './yt-dlp_2023.01.06-1_all.deb'
Suggested packages:
libfribidi-bin | bidiv phantomjs
The following NEW packages will be installed:
yt-dlp
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 0 B/1739 kB of archives.
After this operation, 9644 kB of additional disk space will be used.
Get:1 /root/yt-dlp_2023.01.06-1_all.deb yt-dlp all 2023.01.06-1 [1739 kB]
[ … ]
Preparing to unpack .../yt-dlp_2023.01.06-1_all.deb ...
Unpacking yt-dlp (2023.01.06-1) ...
Setting up yt-dlp (2023.01.06-1) ...
[ … ]
N: Download is performed unsandboxed as root as file
'/root/yt-dlp_2023.01.06-1_all.deb' couldn't be accessed
by user '_apt'. - pkgAcquire::Run (13: Permission denied)
#
This shows a consistent view of a package file being installed.
I was writing under the misapprehension that your 283682-byte
file was a temporary copy of a package file with a bizarre name
and a plausible timestamp.
Was Synaptic/APT/dpkg trying to install it?
> It's only a warning so not critical to fix, so I guess I have time to try
> non-destructive means of making it not happen. Thanks.
I'm an "su -" person that doesn't run GUIs as root, so I'm not best
equipped to know how to avoid the synaptic-pkexec issue except by
not quitting, but leaving it running, say, in a taskbar or whatever.
What happens if you sudo synaptic-pkexec?
I ignore the warning because when I'm using apt-get install full-path,
my level of paranoia is assuaged by checking the MD5 listed at the
bottom of the p.d.o/…/download page before I install it.
If I desperately wanted to avoid it, the easiest way would be to place
the package file into /tmp/ with world-readable permission, and
apt-get install it from there¹, but I don't see the point.
As for posting replies to your posts, the ridiculous thing about
the spam detector is that I can only see what it says about messages
that pass, so it's difficult to guess what can raise the score on
a specific post. However, I (and anybody else) do see lines like:
RSPAMD_URIBL(3.00)[---.--:email];
↑↑↑↑↑↑ erased your address
caused by the attribution in /just/ the body. Perhaps having that
address in the In-reply-to and References as well is enough to
tip the balance. This post includes those headers but no mention
in the body, so we'll see.
¹ I just tested that with:
$ namei -l /tmp/yt-dlp_2024.10.22-1_all.deb
f: /tmp/yt-dlp_2024.10.22-1_all.deb
drwxr-xr-x root root /
drwxrwxrwt root root tmp
-rw-r--r-- auser auser yt-dlp_2024.10.22-1_all.deb
$ md5sum /tmp/yt-dlp_2024.10.22-1_all.deb
b1cdd6f0b2e50cc875017fa9547d209c /tmp/yt-dlp_2024.10.22-1_all.deb
$
Cheers,
David.
