Ok, but:

Why is it a bad idea to have a shared client certificate between multiple 
client applications on the same host?
Why is apt-get just not "respecting" the groups of the _apt user?

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apt in Ubuntu.
https://bugs.launchpad.net/bugs/1668944

Title:
  The _apt user ignores group membership.

Status in apt package in Ubuntu:
  Invalid

Bug description:
  Actually I had the same problem described in 
http://askubuntu.com/questions/773955/apt-get-ssl-client-certificate-not-working-on-16-04-error-while-reading-file
  I want to use client certificates with apt. But I don't want to make them 
world readable in order to make apt working. So I created a group 'ssl-cert' 
and changed the group ownership of the ssl cert files to match this group. I 
also added the _apt user to the ssl-cert group.

  Then I tried to open these files as user '_apt' in bash (su -s
  /bin/bash _apt) which works well.

  But if I run: "apt-get -o "Debug::Acquire::https=true" update" I still get 
the following error:
  * error reading ca cert file /etc/certs/mycert/ca.pem (Error while reading 
file.)
  * Closing connection 26

  So my guess is that apt somehow ignores the ssl-cert membership.

  Possible workarounds:
  - make ssl client cert world readable
  - change owner ssl client cert to _apt
  - change main group of _apt user from 'nogroup' to 'ssl-cert'
  - set APT::Sandbox::User "root"; in apt.conf.d

  Neither of them is pretty. 
  Maybe this is a wanted behavior, then just suggest how to fix the issue in 
nice way.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1668944/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to     : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to