What does this apt error message ("Download is performed unsandboxed as root...") mean?
Solution 1:
Usually apt uses the user _apt
to download packages. In your case _apt
doesn't have write permission to either /var/cache/apt/archives/partial/
or an existing file /var/cache/apt/archives/partial/samba-libs_2%3a4.5.8+dfsg-0ubuntu0.17.04.1_i386.deb
so it downloaded the file as root
.
Make sure /var/cache/apt/archives/partial/
and everything below it are writeable for _apt
, e.g. by running
sudo chown -Rv _apt:root /var/cache/apt/archives/partial/
sudo chmod -Rv 700 /var/cache/apt/archives/partial/
Solution 2:
tl;dr Just ignore apt related "W: ... _apt ..." warning lines. They're non-fatal, and for the most part you can't fix this, and you'll get the same results with or without the warning.
Even when Florian Diesch's fine answer here is implemented, I'm still getting this warning. I get it when I try and download source, with apt-get source ...
, even if I try and download as root, like with sudo
or su
, (Debian 10.4 and apt 1.8.2.1).
The web is thick with questions about this warning message, with many different suggested solutions. Clearly huge numbers of people have been having trouble with the apt tools ever since it was changed to use _apt
for it's sand-boxed, secure operations.
It seems like after this _apt
change was made, a whole bunch of things broke that haven't yet been fully fixed.
Let's break this problem down again:
First, apt result lines with a W:
prefix are only warnings. A warning being something that is abnormal, but that doesn't stop the program from continuing to operate. (ref: Kusalananda)
As Florian pointed out, "apt uses the user _apt
to download packages". It seems this is a case where the user named root
simply can't do what the user named _apt
can do.
A partial solution, (one you really don't want to use):
You have to make sure the folder your sitting in (i.e. where the source will get put) is owned by _apt:root
. So if you $ mkdir temp; sudo chown _apt:root temp; sudo -s
and # cd temp; apt-get source ...
the warning will not appear.
Of course, you'll then have to put a more reasonable ownership on this base folder once you're done, because it is strange to be owned by _apt:root.
Are the results the same with or without the warning message?
# -- TEST 1: get source into folder owned by user ------------
$ mkdir temp1;
$ cd temp1; sudo apt-get source gnupg2 # gives warning message:
...
W: Download is performed unsandboxed as root as file 'gnupg2_2.2.12-1+deb10u1.dsc' couldn't be accessed by user '_apt'. - pkgAcquire::Run (13: Permission denied)
# -- TEST 2: get source into folder owned by root ------------
$ cd ..; sudo -s
# mkdir temp2;
# cd temp2; apt-get source gnupg2 # gives warning message:
...
W: Download is performed unsandboxed as root as file 'gnupg2_2.2.12-1+deb10u1.dsc' couldn't be accessed by user '_apt'. - pkgAcquire::Run (13: Permission denied)
# -- TEST 3: get source into folder owned by _apt:root -------
# cd ..
# mkdir temp3; chown _apt:root temp3
# cd temp3; apt-get source gnupg2 # no warning message now!
# == COMPARE the results ======================================
$ cd ..
$ sudo diff -r temp1 temp2 # no differences
$ sudo diff -r temp1 temp3 # no differences
So the results are the same with or without the warning!
I can't help but add, tongue in cheek, that the APT discussed here, does not refer to that most terrible of things: Advanced Persistent Threats.
My previous answer here (was)
...that until now, had fixed this issue for me, but that I can now see, is insufficient:
Fix it with this:
sudo chown -R _apt:root /var/lib/apt/lists
See.
-
The lists directory itself, not just its contents, needs to have owner _apt. (i.e. Here is one important file branch where default root ownership fails!)
-
I may have developed this issue when removing lists, and then re-making it with
sudo mkdir lists; apt update
, as advised elsewhere. -
Also this solution may be IN ADDITION TO any other solutions, as I had first tried a bunch of other things.
Debian 10.2 Stretch.
# apt-get --version
apt 1.8.2 (amd64)
Supported modules:
*Ver: Standard .deb
*Pkg: Debian dpkg interface (Priority 30)
Pkg: Debian APT solver interface (Priority -1000)
Pkg: Debian APT planner interface (Priority -1000)
S.L: 'deb' Debian binary tree
S.L: 'deb-src' Debian source tree
Idx: Debian Source Index
Idx: Debian Package Index
Idx: Debian Translation Index
Idx: Debian dpkg status file
Idx: Debian deb file
Idx: Debian dsc file
Idx: Debian control file
Idx: EDSP scenario file
Idx: EIPP scenario file