25

I ran rkhunter and found out a warning, that there is a new user called _apt on my Ubuntu 16.04

$ grep _apt /etc/passwd
_apt:x:124:65534::/nonexistent:/bin/false

All I found out is, that it seems that this is a kind of sandbox user for "advanced persistent threats". But what exactly is this?

rubo77
  • 32,486
  • 2
    Interesting question, that user is on my machines as well. – Byte Commander Aug 09 '16 at 18:32
  • Same. Ideas: might be related to the new "apt" command in 16.04. – Rinzwind Aug 09 '16 at 18:34
  • 1
    it is mentioned here: http://askubuntu.com/questions/771936/permission-error-when-installing-ttf-mscorefonts-installer – Rinzwind Aug 09 '16 at 18:40
  • That users lacks permissions for locally downloaded packages and thus throws errors – Anwar Aug 19 '16 at 11:06
  • 1
    Please note that APT has two main meanings related to computers... one is the "advanced persistent threats" you mention (which you definitely DON'T want on your PC as they are typically used for remote spying & co), and the other one is "Advanced Packaging Tool", which is the "normal" meaning of "apt" in an Ubuntu/Debian Linux context -- that's the package manager of your system, which owns the _apt users (see the answers for what that user is for). – Ale May 18 '19 at 17:20

1 Answers1

33

The user _apt is created by the postinst script of the apt package (/var/lib/dpkg/info/apt.postinst):

 # add unprivileged user for the apt methods
 adduser --force-badname --system --home /nonexistent  \
     --no-create-home --quiet _apt || true

It's the owner of /var/cache/apt/archives/partial and /var/lib/apt/lists/partial and used by APT to download packages, package list, and other things.

Florian Diesch
  • 87,389
  • 5
    So basically the same method as seen with apache and other software: you have a dedicated locked down user to do something that pulls something to the machine: user _apt. – Rinzwind Aug 09 '16 at 18:56
  • In Ubuntu 16.04.x, _apt:x:105:65534::/nonexistent:/bin/false is created after nobody, systemd and syslog users under UID ~100+ range. You can always browse users with less /etc/passwd (to search use / then type _apt to find it, :q is exit, like vim) – dhaupin Mar 09 '17 at 04:02