SO is full of these... ---------- CRYPTOANALYZER ---------- Sent from ProtonMail, encrypted email based in Switzerland. Sent with ProtonMail Secure Email. ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On Monday, 6 July 2020 г., 13:51, Zenaan Harkness <zen@freedbms.net> wrote:
In case this is of interest.
----- Forwarded message from Zenaan Harkness zenaan@freedbms.net -----
From: Zenaan Harknesszenaan@freedbms.net To: debian-user@lists.debian.org Date: Mon, 6 Jul 2020 20:49:52 +1000 Subject: debmirror: apt update performed "unsandboxed"? ~=> file path not readable
This was a question, but after some digging, answered itself (see near bottom), via a short recursive path analysis script showing that one path component of the path hierarchy failed to have world-readable perms (a dir in the middle), so in case it's useful for some:
Local debmirror mirror, InRelease is out of date so setting Acquire::Check-Valid-Until=false but getting "unsandboxed" notice/warning:
apt update -o Acquire::Check-Valid-Until=false
===============================================
------->> 20200706@20:16:10 <<------- Get:1 file:/public/debian/sid sid InRelease [146 kB] ... Ign:2 file:/public/debian/sid sid/main amd64 Packages Err:3 file:/public/debian/sid sid/main Translation-en File not found - /public/debian/sid/dists/sid/main/i18n/Translation-en (2: No such file or directory) Get:4 file:/public/debian/sid sid/contrib amd64 Packages [70.1 kB] Reading package lists... Done N: Download is performed unsandboxed as root as file '/public/debian/sid/dists/sid/InRelease' couldn't be accessed by user '_apt'. - pkgAcquire::Run (13: Permission denied) E: Failed to fetch file:/public/debian/sid/dists/sid/main/i18n/Translation-en File not found - /public/debian/sid/dists/sid/main/i18n/Translation-en (2: No such file or directory) E: Some index files failed to download. They have been ignored, or old ones used instead.
Now when checking that file which is purpotedly causing the "unsandboxed" 'download', we get this:
ll /public/debian/sid/dists/sid/InRelease
==========================================
------->> 20200706@20:19:22 <<------- 93K -rw-r--r-- 1 zenan zenan 143K 20200627 16:32.03 /public/debian/sid/dists/sid/InRelease
Clearly that file is readable by all users.. hmm.
So let's analyze the full path:
$ zfile /public/debian/sid/dists/sid/InRelease ------->> 20200706@20:25:42 <<------- ---- Analyzing "/public/debian/sid/dists/sid/InRelease" type: /home/zenan/bin/zfile: line 9: type: /public/debian/sid/dists/sid/InRelease: not found f: /public/debian/sid/dists/sid/InRelease Drwxr-xr-x root root / drwxr-xr-x root root public lrwxrwxrwx root root debian -> /Library/Lpools/zen/p1-setups_misc/repos/debian Drwxr-xr-x root root / drwxr-xr-x root zenan Library drwxr-xr-x root root Lpools drwxr-x--- zenan zenan zen Drwxr-xr-x zenan zenan p1-setups_misc Drwxr-xr-x zenan zenan repos drwxrwxr-x zenan zenan debian lrwxrwxrwx root root sid -> d00 lrwxrwxrwx zenan zenan d00 -> d00-sid+tst+src-64 drwxr-xr-x zenan zenan d00-sid+tst+src-64 drwxrwxr-x zenan zenan dists drwxrwxr-x zenan zenan sid -rw-r--r-- zenan zenan InRelease -rw-r--r-- 1 zenan zenan 146310 Jun 27 16:32 /Library/Lpools/zen/p1-setups_misc/repos/debian/d00-sid+tst+src-64/dists/sid/InRelease /Library/Lpools/zen/p1-setups_misc/repos/debian/d00-sid+tst+src-64/dists/sid/InRelease: ASCII text text/plain; charset=us-ascii {namei|readlink|/usr/bin/file} -f {file}...
And we notice that /public/debian is a symlink and further down, this suspicious dir:
drwxr-x--- zenan zenan zen
Culprit identified! A quick chmod a+rx /Library/Lpools/zen and the show is back on the road.
And the swanky recursive path analyzer (bash script): https://github.com/zenaan/quick-fixes-ftfw/blob/master/bin/zfile
----- End forwarded message -----