Debian 9 (Stretch) _apt user + _STRICT_BIN_PERMISSIONS errors

[pricejn2]

I ran square into this issue -- https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1577926 -- on a new BOA 4.0 HEAD install under Debian 9. Initial BOA install completed just fine but subsequent system upgrades (and even just apt-get update) had keyring problems.

Initial state: https://gist.github.com/pricejn2/47ad14118b03dfaadf7a35146410dde3#file-boa_issue_1352

After testing a number of additions to _BACKEND_ITEMS apt-get update is working again. This is the final list:

apt-key gpgv apt-config touch find sort mktemp chmod rm sed readlink cat cp

The launchpad bug references another workaround echo 'APT::Sandbox::User "root";' >/etc/apt/apt.conf.d/00temp though I did not test this.

[omega8cc]

The other way to fix this could be just:

usermod -aG users _apt

But it needs testing.

[pricejn2]

Good idea. That fixed the permissions errors when executing apt-key as the _apt user, but apt-get update as root fails with the same errors as originally linked.

[omega8cc]

It fails when you run it manually but BOA adds extra flags as a workaround, so upgrades via barracuda work just fine. It’s not really BOA specific issue, but would be good to find and fix the actual culprit.

[omega8cc]

Reopening.

[petrowsky]

I'm just reporting in on this one.

I'm hitting the exact same issue with with a box which was originally setup with stretch where two other boxes which were updated from jessie (and earlier) do not have this same issue.

I hit the issue because apticron stopped sending out reports. Don't know if it's related yet, but when I jumped into the box and ran apticron manually I got this.

>:/etc/apt# apticron
W: GPG error: http://repo.percona.com/apt stretch InRelease: Unknown error executing apt-key
W: The repository 'http://repo.percona.com/apt stretch InRelease' is not signed.
W: GPG error: http://security.debian.org stretch/updates InRelease: Unknown error executing apt-key
W: The repository 'http://security.debian.org stretch/updates InRelease' is not signed.
W: GPG error: http://ftp.us.debian.org/debian stretch-updates InRelease: Unknown error executing apt-key
W: The repository 'http://ftp.us.debian.org/debian stretch-updates InRelease' is not signed.
W: GPG error: http://ftp.us.debian.org/debian stretch-proposed-updates InRelease: Unknown error executing apt-key
W: The repository 'http://ftp.us.debian.org/debian stretch-proposed-updates InRelease' is not signed.
W: GPG error: http://ftp.us.debian.org/debian stretch Release: Unknown error executing apt-key
W: The repository 'http://ftp.us.debian.org/debian stretch Release' is not signed.
W: GPG error: http://ftp.osuosl.org/pub/mariadb/repo/10.1/debian stretch InRelease: Unknown error executing apt-key
W: The repository 'http://ftp.osuosl.org/pub/mariadb/repo/10.1/debian stretch InRelease' is not signed.
E: Failed to fetch http://ftp.us.debian.org/debian/dists/stretch/main/i18n/Translation-en  404  Not Found [IP: 208.80.154.15 80]
E: Some index files failed to download. They have been ignored, or old ones used instead.

[petrowsky]

After reading through the full thread, and despite _apt already being part of the users group and permissions being valid on /tmp I found that the box which was working had this.

>:~# cat /etc/apt/apt.conf.d/00sandboxtmp
APT::Sandbox::User "root";

After adding the config file to the newer stretch box, and running the following

rm -rf /var/lib/apt/lists/*;apt clean

I got a successful update.

[omega8cc]

Yes, that is why barracuda uses this file to disable this problematic Apple-like sandboxing during upgrades, which obviously will affect also apticron, because the file is normally deleted after the barracuda upgrade. We couldn't figure out all introduced dependencies affecting upgrades so finally decided to turn it off during upgrades. It's a major PITA, honestly.

[omega8cc]

We have made it permanent to avoid confusion: 4698689