[debian-mysql] Bug#1023778: TMPDIR behaviour in maintainer scripts [was: Re: Bug#1023778: mysql-server-8.0: fails to restart on upgrade with libpam-tmpdir]

Robie Basak robie.basak at ubuntu.com
Sun Nov 13 16:36:24 GMT 2022 

On Sun, Nov 13, 2022 at 02:58:47PM +0000, Simon McVittie wrote:
> If the maintainer script is *dropping* privileges from root down to a
> system user, then I think the maintainer script is/should be responsible
> for doing that privilege drop in a way that works...

Agreed, but amongst various other things, I don't think it's at all
clear whether TMPDIR is one of the things that the maintainer script
should be expected to unset in this case.

For libpam-tmpdir's use of setting TMPDIR, it's obviously the required
behaviour.

But what about in general? What's the "environment variable" interface
to maintainer scripts? Clearly they are expected to honor _some_
environment variables. Is TMPDIR one of them? Where's the complete list
defined, so that we can be sure that the semantics are reasonable for
all the use cases we can think of, and so that we can all write
maintainer scripts correctly?

Why is it that dropping privileges requires the unsetting of environment
variables in the case of maintainer script invocations anyway? They are
always run from a trusted environment and unsetting variables removes
the ability to pass configuration through. Sure, I can't rely on some
expectations holding (eg. HOME), but if I don't rely on this, there's no
problem. So then, what about TMPDIR? What are its actual semantics?
Tying TMPDIR to the uid that uses it is not the default, nor the
tradition. This entanglement is something that libpam-tmpdir adds. Maybe
that means that we need to consider TMPDIR's semantics changed, because
people find this kind of behaviour more useful. But that's a discussion
that hasn't yet happened.

For example, is there a user who expects to be able to use TMPDIR to
tell a maintainer script where there is enough space for its task, only
to find that it doesn't have any effect because the maintainer script
drops privileges and unsets it before doing its task?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-mysql-maint/attachments/20221113/25268885/attachment-0003.sig>

More information about the pkg-mysql-maint mailing list