[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: APT authentication warning on wheezy

* Florian Weimer:

>> Could it be that something is running updates "behind your back"?
>> (like in a cronjob or something)
>
> It seems that something removes the file
> /var/lib/apt/lists/localhost:9999_debian_dists_wheezy_Release.gpg.
>
> "apt-config dump" doesn't show anything that would activate
> /etc/cron.daily/apt, though.

The audit system suggests that packagekitd is doing something with the
file:

type=SYSCALL msg=audit(1378641028.354:20): arch=c000003e syscall=87 success=no exit=-2 a0=2528688 a1=0 a2=5 a3=270f items=1 ppid=1 pid=4286 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="PK-Backend" exe="/usr/lib/packagekit/packagekitd" key=(null)
type=CWD msg=audit(1378641028.354:20):  cwd="/"
type=PATH msg=audit(1378641028.354:20): item=0 name="/var/lib/apt/lists/partial/" inode=136 dev=08:01 mode=040755 ouid=0 ogid=0 rdev=00:00
type=CONFIG_CHANGE msg=audit(1378641028.354:21): auid=4294967295 ses=4294967295 op="updated rules" path="/var/lib/apt/lists/localhost:9999_debian_dists_wheezy_Release.gpg" key=(null) list=4 res=1
type=SYSCALL msg=audit(1378641028.354:22): arch=c000003e syscall=82 success=yes exit=0 a0=25286f8 a1=2522148 a2=7f4309bd3950 a3=270f items=5 ppid=1 pid=4286 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="PK-Backend" exe="/usr/lib/packagekit/packagekitd" key=(null)
type=CWD msg=audit(1378641028.354:22):  cwd="/"
type=PATH msg=audit(1378641028.354:22): item=0 name="/var/lib/apt/lists/" inode=3221225604 dev=08:01 mode=040755 ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1378641028.354:22): item=1 name="/var/lib/apt/lists/partial/" inode=136 dev=08:01 mode=040755 ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1378641028.354:22): item=2 name="/var/lib/apt/lists/localhost:9999_debian_dists_wheezy_Release.gpg" inode=101885 dev=08:01 mode=0100644 ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1378641028.354:22): item=3 name="/var/lib/apt/lists/partial/localhost:9999_debian_dists_wheezy_Release.gpg.reverify" inode=306957612 dev=08:01 mode=0100644 ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1378641028.354:22): item=4 name="/var/lib/apt/lists/partial/localhost:9999_debian_dists_wheezy_Release.gpg.reverify" inode=101885 dev=08:01 mode=0100644 ouid=0 ogid=0 rdev=00:00

Does this ring any bells?  The reporting could be a bit off, perhaps
auditd and my kernel are out of sync.  The paths involved look
credible enough, though.

I'll try to disable it see if the phenomenon is gone.
Reply to: