From ea408c560ed85bb4ef7cf8f72f8463653501332c Mon Sep 17 00:00:00 2001 From: David Kalnischkies Date: Fri, 7 Jul 2017 16:24:21 +0200 Subject: reimplement and document auth.conf We have support for an netrc-like auth.conf file since 0.7.25 (closing 518473), but it was never documented in apt that it even exists and netrc seems to have fallen out of usage as a manpage for it no longer exists making the feature even more arcane. On top of that the code was a bit of a mess (as it is written in c-style) and as a result the matching of machine tokens to URIs also a bit strange by checking for less specific matches (= without path) first. We now do a single pass over the stanzas. In practice early adopters of the undocumented implementation will not really notice the differences and the 'new' behaviour is simpler to document and more usual for an apt user. Closes: #811181 --- doc/CMakeLists.txt | 1 + doc/apt_auth.conf.5.xml | 132 ++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 133 insertions(+) create mode 100644 doc/apt_auth.conf.5.xml (limited to 'doc') diff --git a/doc/CMakeLists.txt b/doc/CMakeLists.txt index a1491428f..d7241eb5e 100644 --- a/doc/CMakeLists.txt +++ b/doc/CMakeLists.txt @@ -66,6 +66,7 @@ endif() add_docbook(apt-man MANPAGE ALL DOCUMENTS apt.8.xml + apt_auth.conf.5.xml apt-cache.8.xml apt-cdrom.8.xml apt.conf.5.xml diff --git a/doc/apt_auth.conf.5.xml b/doc/apt_auth.conf.5.xml new file mode 100644 index 000000000..8a1882604 --- /dev/null +++ b/doc/apt_auth.conf.5.xml @@ -0,0 +1,132 @@ + + %aptent; + %aptverbatiment; + %aptvendor; +]> + + + + + &apt-author.team; + &apt-email; + &apt-product; + + 2017-07-07T00:00:00Z + + + + apt_auth.conf + 5 + APT + + + + + apt_auth.conf + Login configuration file for APT sources and proxies + + +Description +APT configuration files like &sources-list; or &apt-conf; need to be accessible +for everyone using apt tools on the system to have access to all package-related +information like the available packages in a repository. Login information +needed to connect to a proxy or to download data from a repository on the other +hand shouldn't always be accessible by everyone and can hence not be placed in a +file with world-readable file permissions. + +The APT auth.conf file /etc/apt/auth.conf can be used to store +login information in a netrc-like format with restrictive file permissions. + + +netrc-like format +The format defined here is similar to the format of the ~/.netrc +file used by ftp1 +and similar programs interacting with servers. +It is a simple token-based format with the following tokens being recognized; +Unknown tokens will be ignored. Tokens may be separated by spaces, tabs or newlines. + + + +machine hostname[:port][/path] +Entries are looked up by searching for the +machine token matching the +hostname of the URI apt needs login information for. Extending the netrc-format +a portnumber can be specified. If no port is given the token matches for all ports. +Similar the path is optional and only needed and useful if multiple repositories with +different login information reside on the same server. A machine token with a path +matches if the path in the URI starts with the path given in the token. +Once a match is made, the subsequent tokens are processed, stopping when the +end of file is reached or another machine +token is encountered. + + + +login name +The username to be used. + + + +password string +The password to be used. + + + + + + +Example +Supplying login information for a user named apt +with the password debian for the &sources-list; entry +deb http://example.org/debian &debian-stable-codename; main +could be done in the entry directly: +deb http://apt:debian@example.org/debian &debian-stable-codename; main +Alternatively an entry like the following in the auth.conf file could be used: +machine example.org +login apt +password debian +Or alternatively within a single line: +machine example.org login apt password debian +If you need to be more specific all of these lines will also apply to the example entry: +machine example.org/deb login apt password debian +machine example.org/debian login apt password debian +machine example.org/debian/ login apt password debian + +On the other hand neither of the following lines apply: +machine example.org:80 login apt password debian +machine example.org/deb/ login apt password debian +machine example.org/ubuntu login apt password debian +machine example.orga login apt password debian +machine example.net login apt password debian + + + +Notes +Basic support for this feature is present since version 0.7.25, but was +undocumented for years. The documentation was added in version 1.5 changing +also the implementation slightly. For maximum backward compatibility you should +avoid multiple machine tokens with the same hostname, but if +you need multiple they should all have a path specified in the +machine token. + + + +Files + + /etc/apt/auth.conf + Login information for APT sources and proxies in a netrc-like format. + Configuration Item: Dir::Etc::netrc. + + + + + +See Also +&apt-conf; &sources-list; + + + + &manbugs; + + -- cgit v1.2.3-70-g09d2 From afd7cd688b70bd50d8fa90199a2ac39d98edf19f Mon Sep 17 00:00:00 2001 From: David Kalnischkies Date: Sat, 8 Jul 2017 11:42:02 +0200 Subject: update URI scheme descriptions in sources.list(5) --- doc/apt-verbatim.ent | 6 +++++ doc/sources.list.5.xml | 61 +++++++++++++++++++++++++++++++++++--------------- 2 files changed, 49 insertions(+), 18 deletions(-) (limited to 'doc') diff --git a/doc/apt-verbatim.ent b/doc/apt-verbatim.ent index b555c5de5..be599d393 100644 --- a/doc/apt-verbatim.ent +++ b/doc/apt-verbatim.ent @@ -15,6 +15,12 @@ " > + + apt_auth.conf + 5 + " +> + apt-get 8 diff --git a/doc/sources.list.5.xml b/doc/sources.list.5.xml index dd057eb32..c4df9aa58 100644 --- a/doc/sources.list.5.xml +++ b/doc/sources.list.5.xml @@ -350,6 +350,40 @@ deb-src [ option1=value1 option2=value2 ] uri suite [component1] [component2] [. The currently recognized URI types are: + http + + The http scheme specifies an HTTP server for an archive and is the most + commonly used method, with many options in the + Acquire::http scope detailed in &apt-conf;. The URI can + directly include login information if the archive requires it, but the use + of &apt-authconf; should be preferred. The method also supports SOCKS5 and + HTTP(S) proxies either configured via apt-specific configuration or + specified by the environment variable http_proxy in the + format (assuming an HTTP proxy requiring authentication) + http://user:pass@server:port/. + The authentication details for proxies can also be supplied via + &apt-authconf;. + Note that these forms of authentication are insecure as the whole + communication with the remote server (or proxy) is not encrypted so a + sufficiently capable attacker can observe and record login as well as all + other interactions. The attacker can not modify the + communication through as APTs data security model is independent of the + chosen transport method. See &apt-secure; for details. + + + https + + The https scheme specifies an HTTPS server for an archive and is very + similar in use and available options to the http scheme. The main + difference is that the communication between apt and server (or proxy) is + encrypted. Note that the encryption does not prevent an attacker from + knowing which server (or proxy) apt is communicating with and deeper + analyses can potentially still reveal which data was downloaded. If this is + a concern the Tor-based schemes mentioned further below might be a suitable + alternative. + + + file The file scheme allows an arbitrary directory in the file system to be @@ -359,27 +393,19 @@ deb-src [ option1=value1 option2=value2 ] uri suite [component1] [component2] [. cdrom - The cdrom scheme allows APT to use a local CD-ROM drive with media + The cdrom scheme allows APT to use a local CD-ROM, DVD or USB drive with media swapping. Use the &apt-cdrom; program to create cdrom entries in the source list. - http - - The http scheme specifies an HTTP server for the archive. If an environment - variable http_proxy is set with the format - http://server:port/, the proxy server specified in - http_proxy will be used. Users of authenticated - HTTP/1.1 proxies may use a string of the format - http://user:pass@server:port/. - Note that this is an insecure method of authentication. - - ftp - The ftp scheme specifies an FTP server for the archive. APT's FTP behavior - is highly configurable; for more information see the - &apt-conf; manual page. Please note that an FTP proxy can be specified + The ftp scheme specifies an FTP server for an archive. Use of FTP is on the + decline in favour of http and https + and many archives either never offered or are retiring FTP access. If you + still need this method many configuration options for it are available in + the Acquire::ftp scope and detailed in &apt-conf;. + Please note that an FTP proxy can be specified by using the ftp_proxy environment variable. It is possible to specify an HTTP proxy (HTTP proxy servers often understand FTP URLs) using this environment variable and only this @@ -407,9 +433,8 @@ deb-src [ option1=value1 option2=value2 ] uri suite [component1] [component2] [. APT can be extended with more methods shipped in other optional packages, which should follow the naming scheme apt-transport-method. - For instance, the APT team also maintains the package apt-transport-https, - which provides access methods for HTTPS URIs with features similar to the http method. - Methods for using e.g. debtorrent are also available - see &apt-transport-debtorrent;. + For instance, the APT team also maintains the package apt-transport-tor, + which provides access methods for HTTP and HTTPS URIs routed via the Tor network. -- cgit v1.2.3-70-g09d2 From 054243fd0febfef5f1ba89f61eed0e6a34c6a25f Mon Sep 17 00:00:00 2001 From: David Kalnischkies Date: Fri, 14 Jul 2017 13:49:33 +0200 Subject: show a warning for Debian shutting down FTP services MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit We detect the effected sources by matching Release info – that has potential by-catch of repositories which have incorrect field values, but those are better fixed now anyhow. The bigger incorrectness is that this message will not only be printed for the Debian services itself but also for all mirrors not under Debian control but serving Debian like more local/private mirrors which will not (directly) shutdown. It is likely through that many of them will follow suite with less visible announcements or break downright if their upstream source disappears, so having false-positives here seems benefitial for the user in the end. --- apt-private/private-update.cc | 26 ++++++++++++++++++ doc/examples/configure-index | 6 ++++- .../test-apt-get-update-sourceslist-warning | 31 ++++++++++++++++++++++ 3 files changed, 62 insertions(+), 1 deletion(-) create mode 100755 test/integration/test-apt-get-update-sourceslist-warning (limited to 'doc') diff --git a/apt-private/private-update.cc b/apt-private/private-update.cc index 8949dab30..f235a6191 100644 --- a/apt-private/private-update.cc +++ b/apt-private/private-update.cc @@ -8,6 +8,7 @@ #include #include #include +#include #include #include @@ -79,6 +80,31 @@ bool DoUpdate(CommandLine &CmdL) if (Cache.BuildCaches(false) == false) return false; + if (_config->FindB("APT::Get::Update::SourceListWarnings", true)) + { + List = Cache.GetSourceList(); + for (pkgSourceList::const_iterator S = List->begin(); S != List->end(); ++S) + { + if (APT::String::Startswith((*S)->GetURI(), "ftp://") == false) + continue; + pkgCache::RlsFileIterator const RlsFile = (*S)->FindInCache(Cache, false); + if (RlsFile.end() || RlsFile->Origin == 0 || RlsFile->Label == 0) + continue; + char const *const affected[][2] = { + {"Debian", "Debian"}, + {"Debian", "Debian-Security"}, + {"Debian Backports", "Debian Backports"}, + }; + auto const matchRelease = [&](decltype(affected[0]) a) { + return strcmp(RlsFile.Origin(), a[0]) == 0 && strcmp(RlsFile.Label(), a[1]) == 0; + }; + if (std::find_if(std::begin(affected), std::end(affected), matchRelease) != std::end(affected)) + _error->Warning("Debian shuts down public FTP services currently still used in your sources.list(5) as '%s'.\n" + "See press release %s for details.", + (*S)->GetURI().c_str(), "https://debian.org/News/2017/20170425"); + } + } + // show basic stats (if the user whishes) if (_config->FindB("APT::Cmd::Show-Update-Stats", false) == true) { diff --git a/doc/examples/configure-index b/doc/examples/configure-index index 244d7c1c3..61a749495 100644 --- a/doc/examples/configure-index +++ b/doc/examples/configure-index @@ -107,7 +107,11 @@ APT IndexTargets::ReleaseInfo ""; IndexTargets::format ""; - Update::InteractiveReleaseInfoChanges ""; + Update + { + InteractiveReleaseInfoChanges ""; + SourceListWarnings ""; + }; }; Cache diff --git a/test/integration/test-apt-get-update-sourceslist-warning b/test/integration/test-apt-get-update-sourceslist-warning new file mode 100755 index 000000000..b466e85eb --- /dev/null +++ b/test/integration/test-apt-get-update-sourceslist-warning @@ -0,0 +1,31 @@ +#!/bin/sh +set -e + +TESTDIR="$(readlink -f "$(dirname "$0")")" +. "$TESTDIR/framework" + +setupenvironment +configarchitecture 'amd64' +setupaptarchive --no-update + +testsuccess apt update +testsuccess apt update --no-download + +echo 'deb ftp://ftp.tlh.debian.org/debian zurg main' > rootdir/etc/apt/sources.list.d/ftpshutdown.list +cat > rootdir/var/lib/apt/lists/ftp.tlh.debian.org_debian_dists_zurg_Release <