APT first drops all groups and then changes the effective user and group
id to the one for _apt, before attempting to
mkstemp("/var/cache/apt/archives/partial/.apt-acquire-privs-
test.XXXXXX")
to create a file. There must be some permission issue in some part of that
tree, check your /, /var, /var/cache, /var/cache/apt, /var/cache/apt/archives
directories as well - they must have the "executable" permission bit set for
the "other" user such that _apt can traverse them and get to the "partial"
directory.
** Changed in: apt (Ubuntu)
Status: New => Incomplete
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apt in Ubuntu.
https://bugs.launchpad.net/bugs/2079785
Title:
apt / apt-get install produce spurious Warning
Status in apt package in Ubuntu:
Incomplete
Bug description:
A new minimal install of Ubuntu Server 24.04 has started giving a W
message on completion of all apt and apt-get installs:
W: Download is performed unsandboxed as root as file
'/var/cache/apt/archives/partial/<PACKAGE_NAME>' couldn't be accessed
by user '_apt'. - pkgAcquire::Run (13: Permission denied)
This seems to be spurious, as on checking
/var/cache/apt/archives/partial has correct _apt:root ownership, mode
700.
I have set ownership on everything from /var/cache/apt down to
_apt:root, but it makes no difference - the warning continues to be
emitted on all installs, using both apt and apt-get.
From widespread discussion I've found online, this seems to be a
common issue with no obvious cause or solution other than to make root
the sandbox user in /etc/apt/apt.conf.d, which seem to me to not be a
solution at all! I agree that _apt should be used with reduced
privileges for downloading, but it seems that something in the changes
you made to implement this is broken.
The only non-standard thing about the install I can think of is that
/var is symlinked to /zen/var/ where /zen mounts another partition (we
prefer to keep data directories such as /var, /srv and /tmp off the
system volume). However, we have the same arrangement on other systems
and don't have this issue everywhere.
I'll attach my ubuntu-bug report here, as the machine which generated
it is headless.
Thanks
C
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/2079785/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
