ooni.org icon indicating copy to clipboard operation
ooni.org copied to clipboard
verified publisher icon ooni

[Bug]: cli instructions on website do not work (permission issue)

Open mnalis opened this issue 2 months ago • 0 comments

What happened?

Apart from formatting issues (mentioned in https://github.com/ooni/ooni.org/issues/1848#issuecomment-3437403986), there is a possible problem with permissions for instructions in https://ooni.org/install/cli/ubuntu-debian/

Running the sudo apt-get update command on my Debian Trixie fails with:

% sudo apt-get update
Hit:1 https://deb.debian.org/debian trixie InRelease
Hit:2 http://security.debian.org/debian-security trixie-security InRelease
Hit:3 https://deb.debian.org/debian trixie-updates InRelease
Hit:4 https://deb.debian.org/debian trixie-backports InRelease
Get:5 https://deb.ooni.org unstable InRelease [972 B]
Err:5 https://deb.ooni.org unstable InRelease
  Sub-process /usr/bin/sqv returned an error code (1), error message is: Error: Failed to parse keyring "/etc/apt/keyrings/ooni-apt-keyring.gpg"  Caused by:     0: Reading "/etc/apt/keyrings/ooni-apt-keyring.gpg": Permission denied (os error 13)     1: Permission denied (os error 13)
Reading package lists... Done
W: OpenPGP signature verification failed: https://deb.ooni.org unstable InRelease: Sub-process /usr/bin/sqv returned an error code (1), error message is: Error: Failed to parse keyring "/etc/apt/keyrings/ooni-apt-keyring.gpg"  Caused by:     0: Reading "/etc/apt/keyrings/ooni-apt-keyring.gpg": Permission denied (os error 13)     1: Permission denied (os error 13)
E: The repository 'https://deb.ooni.org unstable InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.

that is because previous steps created /etc/apt/keyrings/ooni-apt-keyring.gpg with insufficient permissions:

% ls -l /etc/apt/keyrings/ooni-apt-keyring.gpg
-rw------- 1 root root 692 Oct 23 16:24 /etc/apt/keyrings/ooni-apt-keyring.gpg

Not that while we do use sudo, apt-get in Debian Trixie itself will drop its permissions to system _apt user, so this file will be unreadable.

Solutions are updating instructions to either:

  • fix the permission after download, i.e. add chmod 644 /etc/apt/keyrings/ooni-apt-keyring.gpg at the end of the first step (i.e. line after sudo gpg --no-default-keyring [...] (preferred, as it will always work), or
  • force umask 022 before gpg inside sudo (more complex and prone to errors)

The same issues might cause problems with 2.a and 2.b steps (i.e. permissions of /etc/apt/sources.list.d/ooniprobe.list):

Note however that even after fixing permission issues, it still does not work (I'll open another issue about that)

Browser

Firefox

What platform are you running?

Linux

Relevant log output

Contact Details

GitHub

Code of Conduct

  • [x] I agree to follow this project's Code of Conduct

mnalis avatar Oct 23 '25 15:10 mnalis