← Back to team overview

group.of.nepali.translators team mailing list archive

[Bug 2070095] Re: apt_news.py download forced unsandboxed

 

This bug was fixed in the package ubuntu-advantage-tools -
35.1ubuntu0~20.04

---------------
ubuntu-advantage-tools (35.1ubuntu0~20.04) focal; urgency=medium

  * Backport 35.1ubuntu0 to focal (LP: #2106660)

ubuntu-advantage-tools (35.1ubuntu0) plucky; urgency=medium

  * apt: support ESM snapshots by adding snapshot URLs for ESM repositories
    to the authentication file (released in version 35)
  * lxd: store the configuration in /var/lib/ubuntu-advantage instead of
    /var/lib/ubuntu-pro (LP: #2106660)

ubuntu-advantage-tools (35) plucky; urgency=medium

  * d/tests/usage: add more scenarios to dep8 tests
  * d/control: drop strict dependency on python3-pkg-resources (LP: #2083665)
  * d/rules: add conditional python3-pkg-resources dependency up to noble
  * d/ubuntu-pro-client.postrm: remove /var/lib/ubuntu-pro cache dir on purge
  * New upstream release 35: (LP: #2083973)
    - api:
      + new endpoints:
        * u.pro.attach.guest.get_guest_token.v1: Get the Pro client guest
          token
        * u.pro.security.cves.v1: List the fixable CVEs that affect the system
      + u.pro.packages.updates.v1: create new package status:
        upgrade_available_not_preferred (GH: #3184)
      + fixes for u.unattended_upgrades.status.v1:
        * do not crash when a Unattended-Upgrade config is missing
        * do not report unattended-upgrade disabled if any config is false
        * report missing Unattended-Upgrade configs as turned off
    - apt:
      + always ensure the ESM cache is present (GH: #3132)
      + fix permission warning when fetching apt-news (GH: #3209, LP: #2070095)
      + update logging for apt errors (GH: #3299)
      + only run the apt upgrade hook when run as root (LP: #2084677)
    - auto-attach:
      + aws: skip operation if no product codes found
      + gcp: add minimal image license codes
    - cli:
      + add support for vulnerability commands:
        * pro cves: List cves in the machine
        * pro cve: Show information about a specific cve
      + deduplicate entries in 'pro help' output (LP: #2091327)
    - config: add option lxd_guest_attach to control LXD integration with Pro
    - contract:
      + check onlySeries on reboot (GH: #3189)
      + collect cpu type for activity info
    - landscape:
      + update message if service not available through Pro (GH: #3331)
    - livepatch: do not enable livepatch on wsl (GH: #3156)
    - lxd: allow pro auto-attach to work on a LXD container

ubuntu-advantage-tools (34.1.3) plucky; urgency=medium

  * apt-hook: set C++ standards version to c++17 for APT 2.9.30 compatibility
    (LP: #2098862)
  * tests: remove argparse error tests from unit tests (LP: #2098862)

ubuntu-advantage-tools (34.1.2build1) plucky; urgency=high

  * No change rebuild against libapt-pkg7.0.

ubuntu-advantage-tools (34.1.2) oracular; urgency=medium

  * check-versions-are-consistent.py: fix regexp to cope with X.Y.Z version
    formats
  * version.py: bump to 34.1.2

ubuntu-advantage-tools (34.1.1) oracular; urgency=medium

  * Bump version.py.

ubuntu-advantage-tools (34.1) oracular; urgency=medium

  * Drop direct dependency on python3-pkg-resources to resolve priority
    mismatch (LP: #2083665)

 -- Renan Rodrigo <renanrodrigo@xxxxxxxxxxxxx>  Thu, 10 Apr 2025
10:38:36 -0300

** Changed in: ubuntu-advantage-tools (Ubuntu Bionic)
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/2070095

Title:
  apt_news.py download forced unsandboxed

Status in Ubuntu Pro:
  Invalid
Status in ubuntu-advantage-tools package in Ubuntu:
  Fix Released
Status in ubuntu-advantage-tools source package in Xenial:
  Fix Released
Status in ubuntu-advantage-tools source package in Bionic:
  Fix Released
Status in ubuntu-advantage-tools source package in Focal:
  Fix Released
Status in ubuntu-advantage-tools source package in Jammy:
  Fix Released
Status in ubuntu-advantage-tools source package in Noble:
  Fix Released
Status in ubuntu-advantage-tools source package in Oracular:
  Fix Released

Bug description:
  [ Impact ]

  Users running `pro refresh` on a Noble (or later) machine will see a warning, saying that user `_apt` does not have access to the apt-news json.
  This does not affect functionality, but it is undesired for potential security reasons.
  This warning is fixed by putting the json on a separate folder, and then giving permissions for `_apt` to write there.

  [ Test Plan ]
  - Launch a Noble/Oracular/Plucky machine with u-a-t < 35
  - run `sudo pro refresh` and see the warning there
  - Upgrade to u-a-t v35
  - run `sudo pro refresh` and see it works without a warning

  then

  - Verify no change has happened for other releases

  [ Where problems could occur ]

  We could run into problems by giving the `_apt` user permissions it
  should not have. To mitigate, we have created a separate folder just
  for this operation, and explicitly gave permissions using apparmor. We
  consulted with the APT team and had a +1 for the changeset.

  [ Original Description ]

  I am not sure which package this relates to, but after a recent
  upgrade from Ubuntu 22.04 to 24.04 LTS I have started seeing messages
  in syslog like this:

  17:29:03 python3[777789]: /usr/lib/python3/dist-packages/uaclient/apt_news.py:207: Warning: W:Download is performed unsandboxed as root as file '/run/ubuntu-advantage/aptnews.json' couldn't be accessed by user '_apt'. - pkgAcquire::Run (13: Permission denied)
  17:29:03 python3[777789]: acq.run()

  It seems to me that user _apt lacks write permission for anything in
  /run, hence the problem. I realise the script is getting round the
  problem by running unsandboxed instead but this message is ugly.

  What I have installed that might be related (I do not have ubuntu-advantage-tools):
  # dpkg-query --list|grep -E "^.i.*(news|-pro-|apt).*(amd64|all)"
  ii  apt                                    2.7.14build2                            amd64        commandline package manager
  ii  apt-utils                              2.7.14build2                            amd64        package management related utility programs
  ii  libapt-pkg6.0t64:amd64                 2.7.14build2                            amd64        package management runtime library
  ii  motd-news-config                       13ubuntu10                              all          Configuration for motd-news shipped in base-files
  ii  python-apt-common                      2.7.7ubuntu1                            all          Python interface to libapt-pkg (locales)
  ii  python3-apt                            2.7.7ubuntu1                            amd64        Python 3 interface to libapt-pkg
  ii  ubuntu-pro-client                      32.3~24.04                              amd64        Management tools for Ubuntu Pro
  ii  ubuntu-pro-client-l10n                 32.3~24.04                              amd64        Translations for Ubuntu Pro Client

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-pro/+bug/2070095/+subscriptions