diff options
| author | Varun Varma <varun.varma@canonical.com> | 2026-05-14 17:20:28 +0200 |
|---|---|---|
| committer | Julian Andres Klode <jak@debian.org> | 2026-05-17 18:53:31 +0000 |
| commit | 45f1fd73d0b62ce6422365a935abc317718ea142 (patch) | |
| tree | 7c71a2aa92ca07d49990230a67f56d1b5ee634e2 | |
| parent | 1514ddad0e542c325c55c93866507dcc96ff5c29 (diff) | |
Warn if auth.conf is unreadable (LP: #2150631)
LP: #2150631 is a bug where trying to access an authentication-locked repo without root sends a 401 error, which is misleading since the authentication information could be in auth.conf.d, but just inaccessible without root. This adds a warning in that scenario, as well as an integration test.
| -rw-r--r-- | methods/aptmethod.h | 15 | ||||
| -rw-r--r-- | methods/basehttp.cc | 12 | ||||
| -rwxr-xr-x | test/integration/test-ubuntu-bug-2150631-authconf-unreadable-source | 37 |
3 files changed, 64 insertions, 0 deletions
diff --git a/methods/aptmethod.h b/methods/aptmethod.h index f564499f0..9499367c8 100644 --- a/methods/aptmethod.h +++ b/methods/aptmethod.h @@ -539,6 +539,9 @@ class aptAuthConfMethod : public aptMethod { std::vector<std::unique_ptr<FileFd>> authconfs; + protected: + std::vector<std::string> inaccessibleAuthConfs; + public: bool Configuration(std::string Message) override { @@ -555,6 +558,12 @@ class aptAuthConfMethod : public aptMethod { authconfs.emplace_back(new FileFd()); authconfs.back()->Open(netrc, FileFd::ReadOnly); + if (authconfs.back()->IsOpen() == false) + { + struct stat st; + if (stat(netrc.c_str(), &st) == 0) + inaccessibleAuthConfs.push_back(netrc); + } } auto const netrcparts = _config->FindDir("Dir::Etc::netrcparts"); @@ -564,6 +573,12 @@ class aptAuthConfMethod : public aptMethod { authconfs.emplace_back(new FileFd()); authconfs.back()->Open(netrcpart, FileFd::ReadOnly); + if (authconfs.back()->IsOpen() == false) + { + struct stat st; + if (stat(netrcpart.c_str(), &st) == 0) + inaccessibleAuthConfs.push_back(netrcpart); + } } } _error->RevertToStack(); diff --git a/methods/basehttp.cc b/methods/basehttp.cc index db0ed228f..8dd596f8f 100644 --- a/methods/basehttp.cc +++ b/methods/basehttp.cc @@ -506,6 +506,18 @@ BaseHttpMethod::DealWithHeaders(FetchResult &Res, RequestState &Req) std::string err; strprintf(err, "HttpError%u", Req.Result); SetFailReason(err); + if (Req.Result == 401 && inaccessibleAuthConfs.empty() == false) + { + std::string conflist; + std::string msg; + for (auto const &path : inaccessibleAuthConfs) + conflist += (conflist.empty() ? "" : ", ") + path; + strprintf(msg, _("Authentication credentials may be configured in %s, " + "but the file(s) are not readable by the current user. " + "Try running this command as root."), + conflist.c_str()); + Warning(std::move(msg)); + } _error->Error("%u %s", Req.Result, Req.Code); } if (Req.haveContent == HaveContent::TRI_TRUE) diff --git a/test/integration/test-ubuntu-bug-2150631-authconf-unreadable-source b/test/integration/test-ubuntu-bug-2150631-authconf-unreadable-source new file mode 100755 index 000000000..0a22e8f83 --- /dev/null +++ b/test/integration/test-ubuntu-bug-2150631-authconf-unreadable-source @@ -0,0 +1,37 @@ +#!/bin/sh +set -e + +TESTDIR="$(readlink -f "$(dirname "$0")")" +. "$TESTDIR/framework" + +setupenvironment +configarchitecture "amd64" + +if [ "$(id -u)" = '0' ]; then + msgskip "Tests for unreadable auth.conf files do not work as root" + exit 0 +fi + +buildsimplenativepackage "foo" "all" "1" +setupaptarchive --no-update + +changetohttpswebserver --authorization="$(printf '%s' 'star@irc:hunter2' | base64 )" +rewritesourceslist "https://localhost:${APTHTTPSPORT}/" + +AUTHCONF="${TMPWORKINGDIRECTORY}/rootdir/etc/apt/auth.conf.d/private.conf" +mkdir -p "$(dirname "$AUTHCONF")" +printf '%s\n' \ + "machine https://localhost" \ + "login star@irc" \ + "password hunter2" > "$AUTHCONF" +chmod 600 "$AUTHCONF" + +testsuccess aptget update + +chmod 000 "$AUTHCONF" +testfailure aptget source -d foo + +OUTPUT="${TMPWORKINGDIRECTORY}/rootdir/tmp/testfailure.output" +testsuccess grep -F "Authentication credentials may be configured in ${AUTHCONF}" "$OUTPUT" +testsuccess grep -F "not readable by the current user. Try running this command as root." "$OUTPUT" +testsuccess grep -E "401[[:space:]]+Unauthorized" "$OUTPUT" |
