0

An article at https://devicetests.com/fix-download-unsandboxed-root-error-ubuntu presents a fix for the inconsequential yet annoying "unsandboxed download" notes produced by apt.

Reference: What does this apt error message ("Download is performed unsandboxed as root...") mean? (I learned about this fix in a downvoted and soon-to-be-deleted answer to this question)

The solution presented is to create the file /etc/apt/apt.conf.d/10sandbox with contents APT::Sandbox::User "root";

Testing the solution in a 20.04 VM shows that it works insofar as the messages are not emitted.

However, the article warns ominously that there may be "security implications" by using this method, but provides no further info.

What are the "security implications" of using this method?

Organic Marble
  • 23,641
  • 15
  • 70
  • 122
  • 1
    It is not a warning (W:) it is a note (N:) so I would just ignore it. "What are the "security implications" of using this method?" I would assume there might be cases where "root" IS needed and that will -error- out (so the problem now is an error and not a note). see also https://askubuntu.com/questions/1403337/download-is-performed-unsandboxed-as-root-as-file/1416892#1416892 – Rinzwind Sep 07 '23 at 15:09
  • @Rinzwind thanks, I will update the question to fix that. – Organic Marble Sep 07 '23 at 15:14

1 Answers1

1

The security implications of the download running as root is that if someone is manipulating your network traffic and there is a security vulnerability in apt, the attacker might be able to exploit that vulnerability and take over your computer.

This is not an immediate danger, but still, it's not a good idea to just hide that message. The article you linked is no fix to the underlying issue, it just hides that message.

Please find out why you might be getting that message and fix it (the linked question gives some details).

YtvwlD
  • 277
  • None of the fixes in answers to the linked question worked for me, except for the downvoted one. Those answers all say the message is essentially meaningless, so what's wrong with hiding it? Also, I only get this message on the computer that runs my local mirror - so it's just "downloading" from a local directory. All other computers on the LAN don't get the message. – Organic Marble Sep 07 '23 at 15:32
  • It's not essentially meaningless. Parts of apt are running with higher privileges than they need to, opening you needlessly up to potential vulnerabilities.

    edit: if this is a local file, you can indeed ignore it. But still, it might be easier (and safer!) to give the _apt user access to that directory.

     – YtvwlD Sep 07 '23 at 15:35
  • Consider writing an answer to the linked question! Sounds like you have domain knowledge, and can propose a safe solution that works. (and _apt user does have access, but I still get the messages, just like many others who commented on the linked question). – Organic Marble Sep 07 '23 at 15:36
  • 1
    I think the accepted answer is fine for the case of remote downloads. I'm not sure there's any need to. – YtvwlD Sep 07 '23 at 15:38