I needed to download the source for the Ubuntu kernel that I'm running. So I followed these instructions. The download was almost successful. Right at the end of it I got:
W: Can't drop privileges for downloading as file
'linux-hwe_4.10.0-32.36~16.04.1.dsc' couldn't be accessed by user
'_apt'. - pkgAcquire::Run (13: Permission denied)
The https://wiki.ubuntu.com/Kernel/BuildYourOwnKernel page says to run just apt, without any sudo prefix:
apt-get source linux-image-$(uname -r)`
So, just start it without
Many popular apt commands like
apt install will write to some global databases and files, and should be started with
apt-get source and most
apt-cache are unprivileged and runs from any user. And
apt-get source will write to current directory, and It is a security feature to download file from special pseudo user when started from root...
This was reported to bugzillas many many times, and reworded in https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=813786
$ LANG=C sudo apt-get source debian-installer W: Can't drop privileges for downloading as file 'debian-installer_20160106.dsc' couldn't be accessed by user '_apt'. - pkgAcquire::Run (13: Permission denied)
I don't get why there are bug reports about that. If you fetch in a directory _apt cannot write to, it will run the fetchers as root instead of _apt so you can do whatever foolish (no root needed here) task you are trying to do.
We could also just make it an error and say: This command does not work as root, but that won't make people happy either.
While we might want to solve this at some point, this is no huge deal, and would require a huge amount of work to fix.
Warning was reworded:
Note: This is a warning about disabling a security feature. It is supposed to be scary as we are disabling a security feature and we can't just be silent about it! Downloads really shouldn't happen any longer as root to decrease the attack surface – but if a warning causes that much uproar, consider what an error would do… The old WARNING message: | W: Can't drop privileges for downloading as file 'foobar' couldn't be | accessed by user '_apt'. - pkgAcquire::Run (13: Permission denied) is frequently (incorrectly) considered to be an error message indicating that the download didn't happen which isn't the case, it was performed, but without all the security features enabled we could have used if run from some other place…