On Sat 01 Apr 2023 at 11:58:49 (+0530), Susmita/Rajib wrote:
> My present Debian system installed from "Official Debian GNU/Linux
> Live 11.6.0 lxde 2022-12-17T11:46"
>
> While installing a package I receive this following message:
>
> W: Download is performed unsandboxed as root as file
> '/root/.synaptic/tmp//tmp_sh' couldn't be accessed by user '_apt'. -
> pkgAcquire::Run (13: Permission denied)
>
> What should I do to address this report or stop receiving this
> message? It doesn't appear to be a harmful report so far as my system
> is concerned. My user-id can't access root report, I guess. But any
> advice would be welcome.
It's trivial to provoke this message, though I can't be sure of
precisely why APT generates it. Here's an example of installing
the new yt-dlp program. This system runs bullseye, but I'm going
to install a downloaded copy of the bookworm¹ version (and so no
disturbance of the sources.list).
# ls -l yt-dlp_2023.0*
-rw-r--r-- 1 root root 1739188 Jan 6 21:12 yt-dlp_2023.01.06-1_all.deb
-rw-r--r-- 1 root root 1777260 Mar 26 03:43
yt-dlp_2023.03.04-1~bpo11+1_all.deb
# apt-get install ./yt-dlp_2023.01.06-1_all.deb
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Note, selecting 'yt-dlp' instead of './yt-dlp_2023.01.06-1_all.deb'
Suggested packages:
libfribidi-bin | bidiv phantomjs
The following NEW packages will be installed:
yt-dlp
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 0 B/1739 kB of archives.
After this operation, 9644 kB of additional disk space will be used.
Get:1 /root/yt-dlp_2023.01.06-1_all.deb yt-dlp all 2023.01.06-1 [1739 kB]
Retrieving bug reports... Done
Parsing Found/Fixed information... Done
Selecting previously unselected package yt-dlp.
(Reading database ... 357613 files and directories currently installed.)
Preparing to unpack .../yt-dlp_2023.01.06-1_all.deb ...
Unpacking yt-dlp (2023.01.06-1) ...
Setting up yt-dlp (2023.01.06-1) ...
Processing triggers for man-db (2.9.4-2) ...
Scanning processes...
Scanning processor microcode...
Scanning linux images...
Running kernel seems to be up-to-date.
The processor microcode seems to be up-to-date.
No services need to be restarted.
No containers need to be restarted.
No user sessions are running outdated binaries.
N: Download is performed unsandboxed as root as file
'/root/yt-dlp_2023.01.06-1_all.deb' couldn't be accessed by user '_apt'. -
pkgAcquire::Run (13: Permission denied)
# ls -l /var/cache/apt/archives/
total 4
-rw-r----- 1 root root 0 Jan 1 2022 lock
drwx------ 2 _apt root 4096 Apr 5 14:09 partial
#
There's your warning. Note that the archives/ directory is still
empty, and also who owns partial/.
Now I'll purge yt-dlp and install it again, but the bullseye-backports
version this time. For a level playing field, I'll install a downloaded
copy again. My sources.list does contain backports, but I don't know
whether that's relevant or not.
# apt-get purge yt-dlp
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following packages were automatically installed and are no longer
required:
python3-brotli python3-pycryptodome python3-websockets
Use 'apt autoremove' to remove them.
The following packages will be REMOVED:
yt-dlp*
0 upgraded, 0 newly installed, 1 to remove and 0 not upgraded.
After this operation, 9644 kB disk space will be freed.
Do you want to continue? [Y/n]
(Reading database ... 358704 files and directories currently installed.)
Removing yt-dlp (2023.01.06-1) ...
Processing triggers for man-db (2.9.4-2) ...
# apt-get install ./yt-dlp_2023.03.04-1~bpo11+1_all.deb
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Note, selecting 'yt-dlp' instead of './yt-dlp_2023.03.04-1~bpo11+1_all.deb'
Suggested packages:
libfribidi-bin | bidiv phantomjs
The following NEW packages will be installed:
yt-dlp
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 1777 kB of archives.
After this operation, 9864 kB of additional disk space will be used.
Get:1 http://deb.debian.org/debian bullseye-backports/main amd64 yt-dlp all
2023.03.04-1~bpo11+1 [1777 kB]
Fetched 1777 kB in 1s (3370 kB/s)
Retrieving bug reports... Done
Parsing Found/Fixed information... Done
Selecting previously unselected package yt-dlp.
(Reading database ... 357613 files and directories currently installed.)
Preparing to unpack .../yt-dlp_2023.03.04-1~bpo11+1_all.deb ...
Unpacking yt-dlp (2023.03.04-1~bpo11+1) ...
Setting up yt-dlp (2023.03.04-1~bpo11+1) ...
Processing triggers for man-db (2.9.4-2) ...
Scanning processes...
Scanning processor microcode...
Scanning linux images...
Running kernel seems to be up-to-date.
The processor microcode seems to be up-to-date.
No services need to be restarted.
No containers need to be restarted.
No user sessions are running outdated binaries.
# ls -l /var/cache/apt/archives/
total 1740
-rw-r----- 1 root root 0 Jan 1 2022 lock
drwx------ 2 _apt root 4096 Apr 5 14:11 partial
-rw-r--r-- 1 root root 1777260 Mar 26 03:43
yt-dlp_2023.03.04-1~bpo11+1_all.deb
#
This time there's no warning, and the package is cached.
User _apt (UID 100) does not own much:
# find / -mount -user 100 -printf '%u\t%g\t%p\n'
_apt root /var/lib/apt/lists/partial
_apt root /var/lib/apt/lists/auxfiles
_apt root /var/cache/apt/archives/partial
#
AIUI partial/ is designed to avoid ever having partially downloaded
files kicking around in their parent directory. I don't know any more
of the details than that.
I guess you have to sort out why a file would be being read from
/root/.synaptic/tmp//tmp_sh. I know next to nothing about synaptic.
¹ All the dependencies of yt-dlp are unversioned, so installing
a "foreign" version is unlikely to cause trouble.
Cheers,
David.
