[debian-mysql] Bug#1023778: TMPDIR behaviour in maintainer scripts [was: Re: Bug#1023778: mysql-server-8.0: fails to restart on upgrade with libpam-tmpdir]

brian m. carlson sandals at crustytoothpaste.net
Thu Nov 10 22:46:55 GMT 2022


On 2022-11-10 at 16:37:53, Tollef Fog Heen wrote:
> ]] Robie Basak 
> 
> > But are you in essence saying that libpam-tmpdir requires that *every
> > maintainer script* that runs things as non-root, or starts processes
> > that do that, unset TMPDIR first?
> 
> I think it's more wide than that: If you change UID, you need to
> sanitise the environment.  Your HOME is likely to be wrong.  PATH might
> very well be pointing at directories which are not appropriate for the
> user you're changing the UID to, etc.

I believe this is the best practice.  For example, sudo typically passes
through only a handful of environment variables, such as TERM, to avoid
things like insecure PATH entries.  For example, if MySQL invoked a
binary in PATH and I had a custom script named the same thing that had
insecure behaviour when invoked as another user, that would be bad.
OpenSSH also sanitizes the environment passed over the connection.

Without getting into a debate about systemd, this is one the pieces of
functionality it provides, since it runs binaries in a clean
environment.  You can probably get most of that in a sysvinit script by
using `env -i` with a handful of environment variables specifically
overridden if necessary.  Then it would be very obvious what
dependencies the binary had on the outside environment.

> > I think the answer to this should probably be established by the
> > libpam-tmpdir maintainer and documented first, for fear of someone else
> > later coming along and saying that the maintainer script incorrectly
> > ignores TMPDIR because we started ignoring it to resolve this bug. So I
> > copied debian-devel@ for comment.
> 
> I'm not sure this is libpam-tmpdir specific, but rather a bit more
> general: what are the expectations that maintainer scripts can have
> about the environment they're running in, and how do we make those
> expectations hold?  This should probably then be documented in policy.

I agree documentation here is helpful.  For reference, this was an
invocation from `sudo aptitude` as part of a normal package upgrade,
which I think is a relatively common situation to be in.

Possibly also an initscript helper which enables developers to do the
right thing automatically, or a flag to start-stop-daemon, or other
tooling would be beneficial to help people easily solve this problem
without thinking too much about it.
-- 
brian m. carlson (he/him or they/them)
Toronto, Ontario, CA
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 263 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-mysql-maint/attachments/20221110/8cb5a31d/attachment.sig>


More information about the pkg-mysql-maint mailing list