problems with _apt user privileges in upgrading from Jessie to Stretch [solved?]

[Jim McCloskey]

Posting here in case this might  help others who may be encountering the same problem. 

I  really appreciate the enhanced security provided for apt  in the new release. But  one of the changes caused me a small headache in upgrading.
Following the upgrade,  running `apt get update'    resulted in this warning:

Reading package lists... Done
W: Download is performed unsandboxed as root as file '/var/lib/apt/lists/partial/deb.debian.org_debian_dists_stretch_InRelease' couldn't be accessed by user '_apt'. - pkgAcquire::Run (13: Permission denied)

which meant,  I suppose, that I wasn't  getting all the benefits of the new regime.  After a bit of reading and a lot of trial and error I was able, I think, to resolve the issue by manually changing the owner attribute of  the directory /var/lib/apt/lists/:

     chown -R _apt.root   lists

(executed in /var/lib/apt/ )

It doesn't seem to be enough to have /var/lib/apt/lists  set to rwxr_xr_x  if it's owned by root.

If anyone has a different or better solution, I'd be curious to hear about it,

Jim

[Sven Joachim]

On my system, only /var/lib/apt/lists/partial is owned by the _apt user,
and it's not word-readable:

,----
| $ LANG=C ls -ld /var/lib/apt/lists/partial
| drwx------ 2 _apt root 16384 Jun 18 18:20 /var/lib/apt/lists/partial
`----

All the regular files in /var/lib/apt/lists are owned by root:root and
have standard 0644 permissions.

Cheers,
Sven

[Jim McCloskey]

Sven Joachim (sven...@gmx.de) wrote:

|> On my system, only /var/lib/apt/lists/partial is owned by

|> the _apt user, and it's not world-readable:

|> All the regular files in /var/lib/apt/lists are owned by
|> root:root and have standard 0644 permissions

Thank you. How strange. I just reverted my own earlier change so that
the ownerships and permissions are as you describe in your
reply. /var/lib/apt/lists/ and the files within it are owned by
root:root and:

# ls -ld /var/lib/apt/lists/partial
drwx------ 2 _apt root 20480
Jun15:52 /var/lib/apt/lists/partial

and the warning/issue immediately returned:

Reading package lists... Done
W: Download is performed unsandboxed as root as file
'/var/lib/apt/lists/partial/deb.debian.org_debian_dists_stretch_InRelease' couldn't be accessed by user '_apt'. - pkgAcquire::Run (13: Permission denied)

Is there detailed documentation somewhere? The man-page and the
material in /usr/share/doc/{apt/apt-doc} are sort of minimal --
about this aspect of things anyway.

Jim

[Sven Joachim]

On 2017-06-19 11:03 -0700, Jim McCloskey wrote:

> Sven Joachim (sven...@gmx.de) wrote:
>
> |> On my system, only /var/lib/apt/lists/partial is owned by
> |> the _apt user, and it's not world-readable:
>
> |> All the regular files in /var/lib/apt/lists are owned by
> |> root:root and have standard 0644 permissions
>
> Thank you. How strange. I just reverted my own earlier change so that
> the ownerships and permissions are as you describe in your
> reply. /var/lib/apt/lists/ and the files within it are owned by
> root:root and:
>
> # ls -ld /var/lib/apt/lists/partial
> drwx------ 2 _apt root 20480
> Jun15:52 /var/lib/apt/lists/partial
>
> and the warning/issue immediately returned:
>
> Reading package lists... Done
> W: Download is performed unsandboxed as root as file
> '/var/lib/apt/lists/partial/deb.debian.org_debian_dists_stretch_InRelease' couldn't be accessed by user '_apt'. - pkgAcquire::Run (13: Permission denied)

Are /var/lib/apt/lists/ and its parent directories world-readable and
world-executable?

Cheers,
Sven