Because of the ownership: $ ls -l /var/cache/apt/archives/ total 4 -rw-r----- 1 root root 0 Apr 16 2022 lock drwx------ 2 _apt root 4096 Oct 22 19:00 partial $
we can assume that _apt is the user that actually downloads packages (into partial/) before APT installs them. But your assumption that tmp_sh can be read by any user (including _apt) is wrong: you need execute permission on all directories traversed along the path, even when you “know what you're looking for”. (And if you don't know, then you need read permission as well.) Cheers, David.
