Control: clone -1 -2 Control: reassign -2 aptitude 0.7.1~exp1-1~apt1.1~exp9 Control: retitle -2 aptitude: use pkgAcqChangelog to download changelogs Control: severity -2 wishlist Control: reassign -1 apt 1.1~exp9 Control: retitle -1 apt: ignore for _apt inaccessible TMPDIR in pkgAcqChangelog Control: severity -1 minor Control: tags -1 + pending
Hi, (I am gonna talk about apt first, aptitude further below) On Sat, Aug 29, 2015 at 07:48:05PM +0200, Tollef Fog Heen wrote: > ]] Axel Beckert > > > Because APT 1.1~exp* uses an unprivileged user named _apt for > > downloads if running under root privileges. > > You can't generally use $TMPDIR for inter-user IPC, so in that case, > create an IPC directory in a well-known location and use that instead. > > I don't think this is a bug in libpam-tmpdir at all. I guess it was me who Axel heard as I am in a love-hate relationship with libpam-tmpdir and umask 027. I like using them, but run into all sorts of "interesting" problems so I regularily revert to the defaults and I did so again before DebCamp and talked with Julian about it – and about this changelog problem with root – you have pretty much the same problem with 'apt-get changelog', just that 'our' users are better trained and usually don't run it as root (users in this sentence are me and our testcases, so I regularily forget about it: As an example: root changelog was broken entirely until ~exp11 as the directory had the wrong access permissions…). Long story short: not a bug in libpam-tmpdir. Anyway, GetTempDir() currently deals with the fact of TMPDIR not accessible by the current user and if so falls back to /tmp, which works just fine for e.g. our gpgv method [we don't clear TMPDIR unconditionally on user change as that kinda defeats the point of setting it]. The only problem with the changelog download is that while the temp directory we download to is set up, we are still root… (see the example above). I have pushed some changes to git fixing this issue explicitly by ignoring TMPDIR if the effective user can't access the directory (and ensuring we actually have the euid of _apt at the point we check) for apt, but that isn't fixing aptitude. Further, I moved a previously private method we used for disabling of privilege drop for some apt-get commands into the pkgAcquire::Run method itself, so that the acquire system is now disabling the user flip if it figures out that a directory it is supposed to download to hasn't the needed rights. This is a bit hacky as it effects all files in the fetcher and it doesn't know if we will end up dropping privileges at all, but good enough for now – a warning is generated to highlight that frontends should evntually deal with this properly rather than causing the acquire system to disable security features… (and with frontends, I mean apt too in this case). Commits: https://anonscm.debian.org/cgit/apt/apt.git/commit/?id=dd6da7d2392e2ad35c444ebc2d7bc2308380530c https://anonscm.debian.org/cgit/apt/apt.git/commit/?id=7c8206bf26b8ef6020b543bbc027305dee8f2308 So, workaround until this hits the archive: Set the option Debug::DropNoPrivs to true (preferable on the commandline) and you are back to pre-1.1 libapt behavior with everything run as root – or in case of apt just don't download changelogs as root for a while. And now finally (that mail really turns out ot be long…) some advice for aptitude: The tempdir in the error message is created by you guys, so you have more or less the same problem as I described further above with apt and TMPDIR – just that the second change I described above will make it at least work as before. apt 1.1 got the specialized acquire item pkgAcqChangelog, which (surprisingly) deals with generating the changelog URI as well as downloading the changelog optionally staged in a temporary directory. Obviously, aptitude isn't using this yet, but I would recommend it mostly because I implemented it based on a wish (#739854) to centralize this logic – and that would magically solve all your (changelog) problems for ever by making them my problems. ;) As this might turn out to be some work, I would at least suggest to change src/generic/apt/pkg_changelog.cc to using a pkgAcqChangelog::URI method to generate an URI instead of hardcoding it for libapt >= 5.0. Note btw that, while looking into /usr/share/doc is a nice idea which I want to implement eventually, some distros (e.g. Ubuntu if I remember right) truncate the changelog file they ship in the package, so for these distros there should at least be an option to get the complete file from the online source instead of from disk. Best regards David Kalnischkies
signature.asc
Description: Digital signature
