group.of.nepali.translators team mailing list archive
-
group.of.nepali.translators team
-
Mailing list archive
-
Message #49294
[Bug 2070095] Re: apt_news.py download forced unsandboxed
This bug was fixed in the package ubuntu-advantage-tools -
35.1ubuntu0~20.04
---------------
ubuntu-advantage-tools (35.1ubuntu0~20.04) focal; urgency=medium
* Backport 35.1ubuntu0 to focal (LP: #2106660)
ubuntu-advantage-tools (35.1ubuntu0) plucky; urgency=medium
* apt: support ESM snapshots by adding snapshot URLs for ESM repositories
to the authentication file (released in version 35)
* lxd: store the configuration in /var/lib/ubuntu-advantage instead of
/var/lib/ubuntu-pro (LP: #2106660)
ubuntu-advantage-tools (35) plucky; urgency=medium
* d/tests/usage: add more scenarios to dep8 tests
* d/control: drop strict dependency on python3-pkg-resources (LP: #2083665)
* d/rules: add conditional python3-pkg-resources dependency up to noble
* d/ubuntu-pro-client.postrm: remove /var/lib/ubuntu-pro cache dir on purge
* New upstream release 35: (LP: #2083973)
- api:
+ new endpoints:
* u.pro.attach.guest.get_guest_token.v1: Get the Pro client guest
token
* u.pro.security.cves.v1: List the fixable CVEs that affect the system
+ u.pro.packages.updates.v1: create new package status:
upgrade_available_not_preferred (GH: #3184)
+ fixes for u.unattended_upgrades.status.v1:
* do not crash when a Unattended-Upgrade config is missing
* do not report unattended-upgrade disabled if any config is false
* report missing Unattended-Upgrade configs as turned off
- apt:
+ always ensure the ESM cache is present (GH: #3132)
+ fix permission warning when fetching apt-news (GH: #3209, LP: #2070095)
+ update logging for apt errors (GH: #3299)
+ only run the apt upgrade hook when run as root (LP: #2084677)
- auto-attach:
+ aws: skip operation if no product codes found
+ gcp: add minimal image license codes
- cli:
+ add support for vulnerability commands:
* pro cves: List cves in the machine
* pro cve: Show information about a specific cve
+ deduplicate entries in 'pro help' output (LP: #2091327)
- config: add option lxd_guest_attach to control LXD integration with Pro
- contract:
+ check onlySeries on reboot (GH: #3189)
+ collect cpu type for activity info
- landscape:
+ update message if service not available through Pro (GH: #3331)
- livepatch: do not enable livepatch on wsl (GH: #3156)
- lxd: allow pro auto-attach to work on a LXD container
ubuntu-advantage-tools (34.1.3) plucky; urgency=medium
* apt-hook: set C++ standards version to c++17 for APT 2.9.30 compatibility
(LP: #2098862)
* tests: remove argparse error tests from unit tests (LP: #2098862)
ubuntu-advantage-tools (34.1.2build1) plucky; urgency=high
* No change rebuild against libapt-pkg7.0.
ubuntu-advantage-tools (34.1.2) oracular; urgency=medium
* check-versions-are-consistent.py: fix regexp to cope with X.Y.Z version
formats
* version.py: bump to 34.1.2
ubuntu-advantage-tools (34.1.1) oracular; urgency=medium
* Bump version.py.
ubuntu-advantage-tools (34.1) oracular; urgency=medium
* Drop direct dependency on python3-pkg-resources to resolve priority
mismatch (LP: #2083665)
-- Renan Rodrigo <renanrodrigo@xxxxxxxxxxxxx> Thu, 10 Apr 2025
10:38:36 -0300
** Changed in: ubuntu-advantage-tools (Ubuntu Bionic)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/2070095
Title:
apt_news.py download forced unsandboxed
Status in Ubuntu Pro:
Invalid
Status in ubuntu-advantage-tools package in Ubuntu:
Fix Released
Status in ubuntu-advantage-tools source package in Xenial:
Fix Released
Status in ubuntu-advantage-tools source package in Bionic:
Fix Released
Status in ubuntu-advantage-tools source package in Focal:
Fix Released
Status in ubuntu-advantage-tools source package in Jammy:
Fix Released
Status in ubuntu-advantage-tools source package in Noble:
Fix Released
Status in ubuntu-advantage-tools source package in Oracular:
Fix Released
Bug description:
[ Impact ]
Users running `pro refresh` on a Noble (or later) machine will see a warning, saying that user `_apt` does not have access to the apt-news json.
This does not affect functionality, but it is undesired for potential security reasons.
This warning is fixed by putting the json on a separate folder, and then giving permissions for `_apt` to write there.
[ Test Plan ]
- Launch a Noble/Oracular/Plucky machine with u-a-t < 35
- run `sudo pro refresh` and see the warning there
- Upgrade to u-a-t v35
- run `sudo pro refresh` and see it works without a warning
then
- Verify no change has happened for other releases
[ Where problems could occur ]
We could run into problems by giving the `_apt` user permissions it
should not have. To mitigate, we have created a separate folder just
for this operation, and explicitly gave permissions using apparmor. We
consulted with the APT team and had a +1 for the changeset.
[ Original Description ]
I am not sure which package this relates to, but after a recent
upgrade from Ubuntu 22.04 to 24.04 LTS I have started seeing messages
in syslog like this:
17:29:03 python3[777789]: /usr/lib/python3/dist-packages/uaclient/apt_news.py:207: Warning: W:Download is performed unsandboxed as root as file '/run/ubuntu-advantage/aptnews.json' couldn't be accessed by user '_apt'. - pkgAcquire::Run (13: Permission denied)
17:29:03 python3[777789]: acq.run()
It seems to me that user _apt lacks write permission for anything in
/run, hence the problem. I realise the script is getting round the
problem by running unsandboxed instead but this message is ugly.
What I have installed that might be related (I do not have ubuntu-advantage-tools):
# dpkg-query --list|grep -E "^.i.*(news|-pro-|apt).*(amd64|all)"
ii apt 2.7.14build2 amd64 commandline package manager
ii apt-utils 2.7.14build2 amd64 package management related utility programs
ii libapt-pkg6.0t64:amd64 2.7.14build2 amd64 package management runtime library
ii motd-news-config 13ubuntu10 all Configuration for motd-news shipped in base-files
ii python-apt-common 2.7.7ubuntu1 all Python interface to libapt-pkg (locales)
ii python3-apt 2.7.7ubuntu1 amd64 Python 3 interface to libapt-pkg
ii ubuntu-pro-client 32.3~24.04 amd64 Management tools for Ubuntu Pro
ii ubuntu-pro-client-l10n 32.3~24.04 amd64 Translations for Ubuntu Pro Client
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-pro/+bug/2070095/+subscriptions