summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorVarun Varma <varun.varma@canonical.com>2026-05-14 17:20:28 +0200
committerJulian Andres Klode <jak@debian.org>2026-05-17 18:53:31 +0000
commit45f1fd73d0b62ce6422365a935abc317718ea142 (patch)
tree7c71a2aa92ca07d49990230a67f56d1b5ee634e2
parent1514ddad0e542c325c55c93866507dcc96ff5c29 (diff)
Warn if auth.conf is unreadable (LP: #2150631)
LP: #2150631 is a bug where trying to access an authentication-locked repo without root sends a 401 error, which is misleading since the authentication information could be in auth.conf.d, but just inaccessible without root. This adds a warning in that scenario, as well as an integration test.
-rw-r--r--methods/aptmethod.h15
-rw-r--r--methods/basehttp.cc12
-rwxr-xr-xtest/integration/test-ubuntu-bug-2150631-authconf-unreadable-source37
3 files changed, 64 insertions, 0 deletions
diff --git a/methods/aptmethod.h b/methods/aptmethod.h
index f564499f0..9499367c8 100644
--- a/methods/aptmethod.h
+++ b/methods/aptmethod.h
@@ -539,6 +539,9 @@ class aptAuthConfMethod : public aptMethod
{
std::vector<std::unique_ptr<FileFd>> authconfs;
+ protected:
+ std::vector<std::string> inaccessibleAuthConfs;
+
public:
bool Configuration(std::string Message) override
{
@@ -555,6 +558,12 @@ class aptAuthConfMethod : public aptMethod
{
authconfs.emplace_back(new FileFd());
authconfs.back()->Open(netrc, FileFd::ReadOnly);
+ if (authconfs.back()->IsOpen() == false)
+ {
+ struct stat st;
+ if (stat(netrc.c_str(), &st) == 0)
+ inaccessibleAuthConfs.push_back(netrc);
+ }
}
auto const netrcparts = _config->FindDir("Dir::Etc::netrcparts");
@@ -564,6 +573,12 @@ class aptAuthConfMethod : public aptMethod
{
authconfs.emplace_back(new FileFd());
authconfs.back()->Open(netrcpart, FileFd::ReadOnly);
+ if (authconfs.back()->IsOpen() == false)
+ {
+ struct stat st;
+ if (stat(netrcpart.c_str(), &st) == 0)
+ inaccessibleAuthConfs.push_back(netrcpart);
+ }
}
}
_error->RevertToStack();
diff --git a/methods/basehttp.cc b/methods/basehttp.cc
index db0ed228f..8dd596f8f 100644
--- a/methods/basehttp.cc
+++ b/methods/basehttp.cc
@@ -506,6 +506,18 @@ BaseHttpMethod::DealWithHeaders(FetchResult &Res, RequestState &Req)
std::string err;
strprintf(err, "HttpError%u", Req.Result);
SetFailReason(err);
+ if (Req.Result == 401 && inaccessibleAuthConfs.empty() == false)
+ {
+ std::string conflist;
+ std::string msg;
+ for (auto const &path : inaccessibleAuthConfs)
+ conflist += (conflist.empty() ? "" : ", ") + path;
+ strprintf(msg, _("Authentication credentials may be configured in %s, "
+ "but the file(s) are not readable by the current user. "
+ "Try running this command as root."),
+ conflist.c_str());
+ Warning(std::move(msg));
+ }
_error->Error("%u %s", Req.Result, Req.Code);
}
if (Req.haveContent == HaveContent::TRI_TRUE)
diff --git a/test/integration/test-ubuntu-bug-2150631-authconf-unreadable-source b/test/integration/test-ubuntu-bug-2150631-authconf-unreadable-source
new file mode 100755
index 000000000..0a22e8f83
--- /dev/null
+++ b/test/integration/test-ubuntu-bug-2150631-authconf-unreadable-source
@@ -0,0 +1,37 @@
+#!/bin/sh
+set -e
+
+TESTDIR="$(readlink -f "$(dirname "$0")")"
+. "$TESTDIR/framework"
+
+setupenvironment
+configarchitecture "amd64"
+
+if [ "$(id -u)" = '0' ]; then
+ msgskip "Tests for unreadable auth.conf files do not work as root"
+ exit 0
+fi
+
+buildsimplenativepackage "foo" "all" "1"
+setupaptarchive --no-update
+
+changetohttpswebserver --authorization="$(printf '%s' 'star@irc:hunter2' | base64 )"
+rewritesourceslist "https://localhost:${APTHTTPSPORT}/"
+
+AUTHCONF="${TMPWORKINGDIRECTORY}/rootdir/etc/apt/auth.conf.d/private.conf"
+mkdir -p "$(dirname "$AUTHCONF")"
+printf '%s\n' \
+ "machine https://localhost" \
+ "login star@irc" \
+ "password hunter2" > "$AUTHCONF"
+chmod 600 "$AUTHCONF"
+
+testsuccess aptget update
+
+chmod 000 "$AUTHCONF"
+testfailure aptget source -d foo
+
+OUTPUT="${TMPWORKINGDIRECTORY}/rootdir/tmp/testfailure.output"
+testsuccess grep -F "Authentication credentials may be configured in ${AUTHCONF}" "$OUTPUT"
+testsuccess grep -F "not readable by the current user. Try running this command as root." "$OUTPUT"
+testsuccess grep -E "401[[:space:]]+Unauthorized" "$OUTPUT"