In case this is of interest.
----- Forwarded message from Zenaan Harkness -----
From: Zenaan Harkness
To: debian-user@lists.debian.org
Date: Mon, 6 Jul 2020 20:49:52 +1000
Subject: debmirror: apt update performed "unsandboxed"? ~=> file path not
readable
This was a question, but after some digging, answered itself (see near bottom), via a short recursive path analysis script showing that one path component of the path hierarchy failed to have world-readable perms (a dir in the middle), so in case it's useful for some:
Local debmirror mirror, InRelease is out of date so setting Acquire::Check-Valid-Until=false but getting "unsandboxed" notice/warning:
# apt update -o Acquire::Check-Valid-Until=false
------->> 20200706@20:16:10 <<-------
Get:1 file:/public/debian/sid sid InRelease [146 kB]
...
Ign:2 file:/public/debian/sid sid/main amd64 Packages
Err:3 file:/public/debian/sid sid/main Translation-en
File not found - /public/debian/sid/dists/sid/main/i18n/Translation-en (2: No such file or directory)
Get:4 file:/public/debian/sid sid/contrib amd64 Packages [70.1 kB]
Reading package lists... Done
N: Download is performed unsandboxed as root as file '/public/debian/sid/dists/sid/InRelease' couldn't be accessed by user '_apt'. - pkgAcquire::Run (13: Permission denied)
E: Failed to fetch file:/public/debian/sid/dists/sid/main/i18n/Translation-en File not found - /public/debian/sid/dists/sid/main/i18n/Translation-en (2: No such file or directory)
E: Some index files failed to download. They have been ignored, or old ones used instead.
Now when checking that file which is purpotedly causing the "unsandboxed" 'download', we get this:
# ll /public/debian/sid/dists/sid/InRelease
------->> 20200706@20:19:22 <<-------
93K -rw-r--r-- 1 zenan zenan 143K 20200627 16:32.03 /public/debian/sid/dists/sid/InRelease
Clearly that file is readable by all users.. hmm.
So let's analyze the full path:
$ zfile /public/debian/sid/dists/sid/InRelease
------->> 20200706@20:25:42 <<-------
---- Analyzing "/public/debian/sid/dists/sid/InRelease"
type: /home/zenan/bin/zfile: line 9: type: /public/debian/sid/dists/sid/InRelease: not found
f: /public/debian/sid/dists/sid/InRelease
Drwxr-xr-x root root /
drwxr-xr-x root root public
lrwxrwxrwx root root debian -> /Library/Lpools/zen/p1-setups_misc/repos/debian
Drwxr-xr-x root root /
drwxr-xr-x root zenan Library
drwxr-xr-x root root Lpools
drwxr-x--- zenan zenan zen
Drwxr-xr-x zenan zenan p1-setups_misc
Drwxr-xr-x zenan zenan repos
drwxrwxr-x zenan zenan debian
lrwxrwxrwx root root sid -> d00
lrwxrwxrwx zenan zenan d00 -> d00-sid+tst+src-64
drwxr-xr-x zenan zenan d00-sid+tst+src-64
drwxrwxr-x zenan zenan dists
drwxrwxr-x zenan zenan sid
-rw-r--r-- zenan zenan InRelease
-rw-r--r-- 1 zenan zenan 146310 Jun 27 16:32 /Library/Lpools/zen/p1-setups_misc/repos/debian/d00-sid+tst+src-64/dists/sid/InRelease
/Library/Lpools/zen/p1-setups_misc/repos/debian/d00-sid+tst+src-64/dists/sid/InRelease: ASCII text
text/plain; charset=us-ascii
{namei|readlink|/usr/bin/file} -f {file}...
And we notice that /public/debian is a symlink and further down, this suspicious dir:
drwxr-x--- zenan zenan zen
Culprit identified! A quick chmod a+rx /Library/Lpools/zen and the show is back on the road.
And the swanky recursive path analyzer (bash script):
https://github.com/zenaan/quick-fixes-ftfw/blob/master/bin/zfile
----- End forwarded message -----