[debian-mysql] Bug#1023778: TMPDIR behaviour in maintainer scripts [was: Re: Bug#1023778: mysql-server-8.0: fails to restart on upgrade with libpam-tmpdir]

Robie Basak robie.basak at ubuntu.com
Sun Nov 13 11:33:42 GMT 2022


On Thu, Nov 10, 2022 at 10:46:55PM +0000, brian m. carlson wrote:
> > I think it's more wide than that: If you change UID, you need to
> > sanitise the environment.  Your HOME is likely to be wrong.  PATH might
> > very well be pointing at directories which are not appropriate for the
> > user you're changing the UID to, etc.
> 
> I believe this is the best practice.  For example, sudo typically passes
> through only a handful of environment variables, such as TERM, to avoid
> things like insecure PATH entries.  For example, if MySQL invoked a
> binary in PATH and I had a custom script named the same thing that had
> insecure behaviour when invoked as another user, that would be bad.
> OpenSSH also sanitizes the environment passed over the connection.

Taking your example, if we decide we cannot trust PATH, then dpkg should
reset it before invoking maintainer scripts. It doesn't make sense to
say that we should not trust the supplied PATH under these circumstances
but then also require maintainer scripts to individually reset it.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-mysql-maint/attachments/20221113/b565beb6/attachment-0001.sig>


More information about the pkg-mysql-maint mailing list