Subscribing ubuntu-security as I'd like to hear some insight from the security team how switching groups would work when sandboxing, and whether that makes sense.
-- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apt in Ubuntu. https://bugs.launchpad.net/bugs/1668944 Title: The _apt user ignores group membership. Status in apt package in Ubuntu: Invalid Bug description: Actually I had the same problem described in http://askubuntu.com/questions/773955/apt-get-ssl-client-certificate-not-working-on-16-04-error-while-reading-file I want to use client certificates with apt. But I don't want to make them world readable in order to make apt working. So I created a group 'ssl-cert' and changed the group ownership of the ssl cert files to match this group. I also added the _apt user to the ssl-cert group. Then I tried to open these files as user '_apt' in bash (su -s /bin/bash _apt) which works well. But if I run: "apt-get -o "Debug::Acquire::https=true" update" I still get the following error: * error reading ca cert file /etc/certs/mycert/ca.pem (Error while reading file.) * Closing connection 26 So my guess is that apt somehow ignores the ssl-cert membership. Possible workarounds: - make ssl client cert world readable - change owner ssl client cert to _apt - change main group of _apt user from 'nogroup' to 'ssl-cert' - set APT::Sandbox::User "root"; in apt.conf.d Neither of them is pretty. Maybe this is a wanted behavior, then just suggest how to fix the issue in nice way. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1668944/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
