Fw: debmirror: apt update performed "unsandboxed"? ~=> file path not readable

Zenaan Harkness zen at freedbms.net
Mon Jul 6 03:51:29 PDT 2020

In case this is of interest.

----- Forwarded message from Zenaan Harkness <zenaan at freedbms.net> -----

From: Zenaan Harkness <zenaan at freedbms.net>
To: debian-user at lists.debian.org
Date: Mon, 6 Jul 2020 20:49:52 +1000
Subject: debmirror: apt update performed "unsandboxed"? ~=> file path not

This was a question, but after some digging, answered itself (see near bottom), via a short recursive path analysis script showing that one path component of the path hierarchy failed to have world-readable perms (a dir in the middle), so in case it's useful for some:

Local debmirror mirror, InRelease is out of date so setting Acquire::Check-Valid-Until=false but getting "unsandboxed" notice/warning:

# apt update -o Acquire::Check-Valid-Until=false
------->> 20200706 at 20:16:10 <<-------
Get:1 file:/public/debian/sid sid InRelease [146 kB]
Ign:2 file:/public/debian/sid sid/main amd64 Packages  
Err:3 file:/public/debian/sid sid/main Translation-en  
  File not found - /public/debian/sid/dists/sid/main/i18n/Translation-en (2: No such file or directory)
Get:4 file:/public/debian/sid sid/contrib amd64 Packages [70.1 kB]
Reading package lists... Done        
N: Download is performed unsandboxed as root as file '/public/debian/sid/dists/sid/InRelease' couldn't be accessed by user '_apt'. - pkgAcquire::Run (13: Permission denied)
E: Failed to fetch file:/public/debian/sid/dists/sid/main/i18n/Translation-en  File not found - /public/debian/sid/dists/sid/main/i18n/Translation-en (2: No such file or directory)
E: Some index files failed to download. They have been ignored, or old ones used instead.

Now when checking that file which is purpotedly causing the "unsandboxed" 'download', we get this:

# ll /public/debian/sid/dists/sid/InRelease
------->> 20200706 at 20:19:22 <<-------
93K -rw-r--r-- 1 zenan zenan 143K 20200627 16:32.03 /public/debian/sid/dists/sid/InRelease

Clearly that file is readable by all users.. hmm.

So let's analyze the full path:

$ zfile /public/debian/sid/dists/sid/InRelease
------->> 20200706 at 20:25:42 <<-------
---- Analyzing "/public/debian/sid/dists/sid/InRelease"
type: /home/zenan/bin/zfile: line 9: type: /public/debian/sid/dists/sid/InRelease: not found
f: /public/debian/sid/dists/sid/InRelease
Drwxr-xr-x root  root  /
drwxr-xr-x root  root  public
lrwxrwxrwx root  root  debian -> /Library/Lpools/zen/p1-setups_misc/repos/debian
Drwxr-xr-x root  root    /
drwxr-xr-x root  zenan   Library
drwxr-xr-x root  root    Lpools
drwxr-x--- zenan zenan   zen
Drwxr-xr-x zenan zenan   p1-setups_misc
Drwxr-xr-x zenan zenan   repos
drwxrwxr-x zenan zenan   debian
lrwxrwxrwx root  root  sid -> d00
lrwxrwxrwx zenan zenan   d00 -> d00-sid+tst+src-64
drwxr-xr-x zenan zenan     d00-sid+tst+src-64
drwxrwxr-x zenan zenan dists
drwxrwxr-x zenan zenan sid
-rw-r--r-- zenan zenan InRelease
-rw-r--r-- 1 zenan zenan 146310 Jun 27 16:32 /Library/Lpools/zen/p1-setups_misc/repos/debian/d00-sid+tst+src-64/dists/sid/InRelease
/Library/Lpools/zen/p1-setups_misc/repos/debian/d00-sid+tst+src-64/dists/sid/InRelease: ASCII text
text/plain; charset=us-ascii
{namei|readlink|/usr/bin/file} -f {file}...

And we notice that /public/debian is a symlink and further down, this suspicious dir:

drwxr-x--- zenan zenan   zen

Culprit identified!  A quick chmod a+rx /Library/Lpools/zen and the show is back on the road.

And the swanky recursive path analyzer (bash script):

----- End forwarded message -----

More information about the cypherpunks mailing list