sources.list file created for ESM is world-readable, leaks subscriber token to all local users

Filed upstream: https://github.com/CanonicalLtd/ubuntu-advantage-script/issues/22

Making the file 0600 makes apt-cache complain about it when run by non-root users. Is that an issue worth having?

<ack> $ apt policy asdf
<ack> E: Opening /etc/apt/sources.list.d/dropbox.list - ifstream::ifstream (13: Permission denied)
<ack> E: The list of sources could not be read.

(dropbox.list was just an example)

In my opinion, it's still better to have the file not world-readable by default. I looked to add-apt-repository for precedent, and the only information I found was bug #399709 - however, add-apt-repository also doesn't truly have support for adding private ppas (you can pass it a full url with embedded credentials, but then it doesn't DTRT for gpg key imports). So I don't think this is a relevant precedent at all.

Hi Steve --

So far what I see as not working if the file is go-r when a regular u:

1) update-manager stacktraces
2) apt-cache policy (on xenial it bails early without printing anything)

Options:

a) we don't care about these things breaking, and file bugs against those projects?
b) we make the /etc/apt/sources.list.d/*.list file g+r and chown it root:adm?

Let me know what the desired behavior here is if you don't mind.

There seems to be a difference in behavior in apt. Precise's apt-cache, for example, doesn't seem to care:

ubuntu@precise-esm:~$ l /etc/apt/sources.list.d/staging-ubuntu-esm-precise.list
-rw------- 1 root root 200 Jun 7 18:35 /etc/apt/sources.list.d/staging-ubuntu-esm-precise.list

ubuntu@precise-esm:~$ apt-cache policy landscape-client
landscape-client:
  Installed: (none)
  Candidate: 14.12-0ubuntu0.12.04
  Version table:
     14.12-0ubuntu0.12.04 0
        500 http://br.archive.ubuntu.com/ubuntu/ precise-updates/main amd64 Packages
        100 /var/lib/dpkg/status
     12.04.3-0ubuntu1 0
        500 http://br.archive.ubuntu.com/ubuntu/ precise/main amd64 Packages

ubuntu@precise-esm:~$ sudo apt-cache policy landscape-client
landscape-client:
  Installed: (none)
  Candidate: 14.12-0ubuntu5.12.04
  Version table:
     14.12-0ubuntu5.12.04 0
        500 https://extended.security.staging.ubuntu.com/ubuntu/ precise/main amd64 Packages
     14.12-0ubuntu0.12.04 0
        500 http://br.archive.ubuntu.com/ubuntu/ precise-updates/main amd64 Packages
        100 /var/lib/dpkg/status
     12.04.3-0ubuntu1 0
        500 http://br.archive.ubuntu.com/ubuntu/ precise/main amd64 Packages

So I would be OK for this change on precise, and also trusty (just tested) where it has the same behavior as precise. But from xenial onwards it breaks apt-cache as a whole for non-root users:

ubuntu@xenial-test:~$ apt-cache search juju
E: Opening /etc/apt/sources.list.d/juju-ubuntu-stable-xenial.list - ifstream::ifstream (13: Permission denied)
E: The list of sources could not be read.
ubuntu@xenial-test:~$

Ah, if this blocks apt-cache from working generally, that's certainly a major disadvantage. I would argue that this is a bug in apt, but it doesn't make sense to proceed with this change unless/until the apt bug is fixed.

filed bug on apt in ubuntu: https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1701852

Reopening, let's use auth.conf

This bug was fixed in the package ubuntu-advantage-tools - 14

---------------
ubuntu-advantage-tools (14) bionic; urgency=medium

  * New upstream release:
    - repositories are only added after credentials are verified
      (LP: #1730361)
    - Livepatch MOTD script (LP: #1710976)
    - better "status" command output formatting (LP: #1719034)
    - sources.list.d files no longer contain credentials. The "auth.conf"
      facility is used instead. (LP: #1700611)
    - enabled Livepatch support for Bionic 18.04 LTS

 -- Andreas Hasenack <email address hidden> Tue, 06 Feb 2018 09:58:03 -0200