cnf-update-db creates unreadable database if wrong umask

Status changed to 'Confirmed' because the bug affects multiple users.

[Test Plan]
To reproduce the issue, use the annotated steps below. Confirmed working as a reproducer for Focal and Impish. Bionic appears to use a -data package instead of building the db on "apt update"

Notes:
1) The "ubuntu" user below is unprivileged, the result of the "adduser ubuntu" command being run and accepting defaults.
2) The "lck" and "ack" commands were randomly selected as commands that were unavailable on the default Ubuntu images used by LXD.

# Confirm UMASK
grep "^UMASK" /etc/login.defs
# Set /etc/login.defs to umask 027
sed -i -e 's/^UMASK\t\t022/UMASK\t\t027/' /etc/login.defs
# Confirm
grep "^UMASK" /etc/login.defs
# Log out and back in
exit

# Log back in
# Force rebuild of DB
rm -rf /var/lib/command-not-found/*
apt update
ls -lah /var/lib/command-not-found/
# Verify failure
su - ubuntu
lck
ack
exit
## END repro

The failures expected to be seen when running the "lck" and "ack" commands are similar to:
ubuntu@lp1953610-focal:~$ ack
Sorry, command-not-found has crashed! Please file a bug report at:
https://bugs.launchpad.net/command-not-found/+filebug
Please include the following information with the report:

command-not-found version: 0.3
Python version: 3.8.10 final 0
Distributor ID: Ubuntu
Description: Ubuntu 20.04.3 LTS
Release: 20.04
Codename: focal
Exception information:

unable to open database file
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/CommandNotFound/util.py", line 23, in crash_guard
    callback()
  File "/usr/lib/command-not-found", line 90, in main
    cnf = CommandNotFound.CommandNotFound(options.data_dir)
  File "/usr/lib/python3/dist-packages/CommandNotFound/CommandNotFound.py", line 79, in __init__
    self.db = SqliteDatabase(dbpath)
  File "/usr/lib/python3/dist-packages/CommandNotFound/db/db.py", line 12, in __init__
    self.con = sqlite3.connect(filename)
sqlite3.OperationalError: unable to open database file

A successful run should look like:
ubuntu@lp1953610-focal:~$ lck

Command 'lck' not found, did you mean:

  command 'ack' from deb ack (3.3.1-1)
  command 'ick' from deb intercal (30:0.30-3)
  command 'lcp' from deb lsh-client (2.1-12build3)
  command 'lc' from deb mono-devel (6.8.0.105+dfsg-2)
  command 'lcf' from deb ucf (3.0038+nmu1)
  command 'ck' from deb python3-ck (1.9.4-1.1)

Try: apt install <deb name>

The command-not-found-data package in Bionic appears to avoid this issue, since the script affected by the UMASK variable is not used to update the databases.

Perhaps this bug doesn't apply to Bionic?

MR for Focal:
https://code.launchpad.net/~krenshaw/ubuntu/+source/command-not-found/+git/command-not-found/+merge/414978

NOTE: the Focal packages in the PPA have a version ending in ubuntu2, this version is identical to the MR's version ubuntu1. Version was changed to allow PPA building of packages after an erroneous upload on my part.

Testing info attached.

MR for Impish:
https://code.launchpad.net/~krenshaw/ubuntu/+source/command-not-found/+git/command-not-found/+merge/414979

Testing info attached.

Bionic is affected if the system is configured with a non-default repository that provides CNF metadata. The same fix works for Bionic in this situation as well.

MR for Bionic:
https://code.launchpad.net/~krenshaw/ubuntu/+source/command-not-found/+git/command-not-found/+merge/415622

Testing info attached, uses https://launchpad.net/~krenshaw/+archive/ubuntu/lp1953610 to provide packages from the MR.

Hello Julian, or anyone else affected,

Accepted command-not-found into impish-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/command-not-found/21.10.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-impish to verification-done-impish. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-impish. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hello Julian, or anyone else affected,

Accepted command-not-found into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/command-not-found/20.04.6 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-focal. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hello Julian, or anyone else affected,

Accepted command-not-found into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/command-not-found/18.04.6 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Verification for Impish

root@verify-lp1953610-impish:~# ### Verification
# Install updated command-not-found from -proposed
# https://wiki.ubuntu.com/Testing/EnableProposed
cat <<EOF >/etc/apt/sources.list.d/ubuntu-$(lsb_release -cs)-proposed.list
# Enable Ubuntu proposed archive
deb http://archive.ubuntu.com/ubuntu/ $(lsb_release -cs)-proposed restricted main multiverse universe
EOF
root@verify-lp1953610-impish:~# # Update command-not-found.
apt update
apt install command-not-found
<snip>
Get:17 http://archive.ubuntu.com/ubuntu impish-proposed/universe amd64 c-n-f Metadata [1484 B]
Fetched 543 kB in 2s (268 kB/s)
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
7 packages can be upgraded. Run 'apt list --upgradable' to see them.
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following package was automatically installed and is no longer required:
  libfreetype6
Use 'apt autoremove' to remove it.
The following additional packages will be installed:
  python3-commandnotfound
The following packages will be upgraded:
  command-not-found python3-commandnotfound
2 upgraded, 0 newly installed, 0 to remove and 5 not upgraded.
Need to get 15.6 kB of archives.
After this operation, 0 B of additional disk space will be used.
Do you want to continue? [Y/n] y
Get:1 http://archive.ubuntu.com/ubuntu impish-proposed/main amd64 command-not-found all 21.10.1 [5100 B]
Get:2 http://archive.ubuntu.com/ubuntu impish-proposed/main amd64 python3-commandnotfound all 21.10.1 [10.5 kB]
Fetched 15.6 kB in 0s (34.3 kB/s)
(Reading database ... 32292 files and directories currently installed.)
Preparing to unpack .../command-not-found_21.10.1_all.deb ...
Unpacking command-not-found (21.10.1) over (21.10.0) ...
Preparing to unpack .../python3-commandnotfound_21.10.1_all.deb ...
Unpacking python3-commandnotfound (21.10.1) over (21.10.0) ...
Setting up python3-commandnotfound (21.10.1) ...
Setting up command-not-found (21.10.1) ...
Scanning processes...

No services need to be restarted.

No containers need to be restarted.

No user sessions are running outdated binaries.
root@verify-lp1953610-impish:~# # Verify version
dpkg -l | grep command-not-found
ii command-not-found 21.10.1 all Suggest installation of packages in interactive bash sessions
ii python3-commandnotfound 21.10.1 all Python 3 bindings for command-not-found.
root@verify-lp1953610-impish:~# # Force rebuild of DB
rm -rf /var/lib/command-not-found/*
apt update
ls -lah /var/lib/command-not-found/
Hit:1 http://security.ubuntu.com/ubuntu impish-security InRelease
Hit:2 http://archive.ubuntu.com/ubuntu impish InRelease
Hit:3 http://archive.ubuntu.com/ubuntu impish-updates InRelease
Hit:4 http://archive.ubuntu.com/ubuntu impish-backports InRelease
Hit:5 http://archive.ubuntu.com/ubuntu impish-proposed InRelease
Reading package lists....

Focal verification
root@verify-lp1953610-focal:~# ### Verification
root@verify-lp1953610-focal:~# # Install updated command-not-found from -proposed
root@verify-lp1953610-focal:~# # https://wiki.ubuntu.com/Testing/EnableProposed
root@verify-lp1953610-focal:~# # Update command-not-found.
root@verify-lp1953610-focal:~# apt install command-not-found

root@verify-lp1953610-focal:~# # Verify version
root@verify-lp1953610-focal:~# dpkg -l | grep command-not-found
ii command-not-found 20.04.6 all Suggest installation of packages in interactive bash sessions
ii python3-commandnotfound 20.04.6 all Python 3 bindings for command-not-found.
root@verify-lp1953610-focal:~# # Force rebuild of DB
root@verify-lp1953610-focal:~# rm -rf /var/lib/command-not-found/*
root@verify-lp1953610-focal:~# apt update
Hit:1 http://security.ubuntu.com/ubuntu focal-security InRelease
Hit:2 http://archive.ubuntu.com/ubuntu focal InRelease
Hit:3 http://archive.ubuntu.com/ubuntu focal-updates InRelease
Hit:4 http://archive.ubuntu.com/ubuntu focal-backports InRelease
Hit:5 http://archive.ubuntu.com/ubuntu focal-proposed InRelease
Reading package lists... Done
Building dependency tree
Reading state information... Done
All packages are up to date.
root@verify-lp1953610-focal:~# ls -lah /var/lib/command-not-found/
total 3.2M
drwxr-xr-x 1 root root 62 Mar 10 19:14 .
drwxr-xr-x 1 root root 584 Mar 10 19:13 ..
-rw-r--r-- 1 root root 3.2M Mar 10 19:14 commands.db
-rw-r--r-- 1 root root 3.9K Mar 10 19:14 commands.db.metadata
root@verify-lp1953610-focal:~# # Verify success
root@verify-lp1953610-focal:~# su - ubuntu
ubuntu@verify-lp1953610-focal:~$ lck
WARNING:root:could not open file '/etc/apt/sources.list.d/ubuntu-focal-proposed.list'

Command 'lck' not found, did you mean:

  command 'ack' from deb ack (3.3.1-1)
  command 'ick' from deb intercal (30:0.30-3)
  command 'lcf' from deb ucf (3.0038+nmu1)
  command 'ck' from deb python3-ck (1.9.4-1.1)
  command 'lc' from deb mono-devel (6.8.0.105+dfsg-2)
  command 'lcp' from deb lsh-client (2.1-12build3)

Try: apt install <deb name>

ubuntu@verify-lp1953610-focal:~$ ack
WARNING:root:could not open file '/etc/apt/sources.list.d/ubuntu-focal-proposed.list'

Command 'ack' not found, but can be installed with:

apt install ack
Please ask your administrator.

ubuntu@verify-lp1953610-focal:~$ exit
logout
root@verify-lp1953610-focal:~# ## END Verification

Bionic verification

root@verify-lp1953610-bionic:~# ### Verification
root@verify-lp1953610-bionic:~# # Install updated command-not-found from -proposed
root@verify-lp1953610-bionic:~# # https://wiki.ubuntu.com/Testing/EnableProposed
root@verify-lp1953610-bionic:~# cat <<EOF >/etc/apt/sources.list.d/ubuntu-$(lsb_release -cs)-proposed.list
> # Enable Ubuntu proposed archive
> deb http://archive.ubuntu.com/ubuntu/ $(lsb_release -cs)-proposed restricted main multiverse universe
> EOF
root@verify-lp1953610-bionic:~# # Update command-not-found.
root@verify-lp1953610-bionic:~# apt update
Hit:1 http://security.ubuntu.com/ubuntu bionic-security InRelease
Get:2 http://archive.ubuntu.com/ubuntu bionic InRelease [242 kB]
Hit:3 http://archive.ubuntu.com/ubuntu bionic-updates InRelease
Hit:4 http://archive.ubuntu.com/ubuntu bionic-backports InRelease
Get:5 http://archive.ubuntu.com/ubuntu bionic-proposed InRelease [242 kB]
Hit:6 http://archive.ubuntu.com/ubuntu focal-backports InRelease
Get:7 http://archive.ubuntu.com/ubuntu bionic-proposed/restricted amd64 Packages [105 kB]
Get:8 http://archive.ubuntu.com/ubuntu bionic-proposed/restricted Translation-en [17.1 kB]
Get:9 http://archive.ubuntu.com/ubuntu bionic-proposed/main amd64 Packages [163 kB]
Get:10 http://archive.ubuntu.com/ubuntu bionic-proposed/main Translation-en [33.5 kB]
Get:11 http://archive.ubuntu.com/ubuntu bionic-proposed/multiverse amd64 Packages [2216 B]
Get:12 http://archive.ubuntu.com/ubuntu bionic-proposed/multiverse Translation-en [788 B]
Get:13 http://archive.ubuntu.com/ubuntu bionic-proposed/universe amd64 Packages [11.6 kB]
Get:14 http://archive.ubuntu.com/ubuntu bionic-proposed/universe Translation-en [6332 B]
Fetched 824 kB in 2s (528 kB/s)
Reading package lists... Done
Building dependency tree
Reading state information... Done
13 packages can be upgraded. Run 'apt list --upgradable' to see them.
root@verify-lp1953610-bionic:~# apt install command-not-found
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following package was automatically installed and is no longer required:
  libfreetype6
Use 'apt autoremove' to remove it.
The following additional packages will be installed:
  command-not-found-data python3-commandnotfound
The following packages will be upgraded:
  command-not-found command-not-found-data python3-commandnotfound
3 upgraded, 0 newly installed, 0 to remove and 10 not upgraded.
Need to get 1023 kB of archives.
After this operation, 0 B of additional disk space will be used.
Do you want to continue? [Y/n] y
Get:1 http://archive.ubuntu.com/ubuntu bionic-proposed/main amd64 command-not-found all 18.04.6 [5208 B]
Get:2 http://archive.ubuntu.com/ubuntu bionic-proposed/main amd64 python3-commandnotfound all 18.04.6 [9032 B]
Get:3 http://archive.ubuntu.com/ubuntu bionic-proposed/main amd64 command-not-found-data amd64 18.04.6 [1009 kB]
Fetched 1023 kB in 1s (785 kB/s)
(Reading database ... 29000 files and directories currently installed.)
Preparing to unpack .../command-not-found_18.04.6_all.deb ...
Unpacking command-not-found (18.04.6) over (18.04.5) ...
Preparing to un...

The verification of the Stable Release Update for command-not-found has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

This bug was fixed in the package command-not-found - 20.04.6

---------------
command-not-found (20.04.6) focal; urgency=medium

  [ Arnaud Rebillout ]
  * cnf: Bail out early if the database is not readable
  * cnf-update-db: Creates a world-readable database (Closes: #986461)
  * Add test to make sure that the database is world-readable

  [ Kellen Renshaw ]
  * Cherry-pick cnf-update-db umask fixes from 22.04 (LP: #1953610)

 -- Kellen Renshaw <email address hidden> Mon, 14 Feb 2022 10:10:22 -0700

This bug was fixed in the package command-not-found - 18.04.6

---------------
command-not-found (18.04.6) bionic; urgency=medium

  [ Arnaud Rebillout ]
  * cnf: Bail out early if the database is not readable
  * cnf-update-db: Creates a world-readable database (Closes: #986461)
  * Add test to make sure that the database is world-readable

  [ Kellen Renshaw ]
  * Cherry-pick cnf-update-db umask fixes from 22.04 (LP: #1953610)

 -- Kellen Renshaw <email address hidden> Mon, 14 Feb 2022 10:26:36 -0700

This bug was fixed in the package command-not-found - 21.10.1

---------------
command-not-found (21.10.1) impish; urgency=medium

  [ Arnaud Rebillout ]
  * cnf: Bail out early if the database is not readable
  * cnf-update-db: Creates a world-readable database (Closes: #986461)
  * Add test to make sure that the database is world-readable

  [ Kellen Renshaw ]
  * Cherry-pick cnf-update-db umask fixes from 22.04 (LP: #1953610)

 -- Kellen Renshaw <email address hidden> Mon, 14 Feb 2022 10:23:14 -0700