[Pkg-privacy-maintainers] Bug#911907: monkeysphere: Patch v3
Sunil Mohan Adapa
sunil at medhas.org
Mon Oct 29 19:56:48 GMT 2018
On Monday 29 October 2018 11:50 AM, Sunil Mohan Adapa wrote:
[...]
>
> I agree that it is better to not expose the environment to runuser. I
> will make the change to use 'env' instead.
Attached the patches do this with /usr/bin/env (better to have full
path?). I have retested all invocations again.
>
> A bigger concern should be to scrub all environment from the parent root
> user process except for the values that need to be passed down.
> Unfortunately, this is an issue equally problematic in the earlier and
> proposed code.
>
> # TESTVAR1='test' su -s /bin/bash -c 'set' |grep TESTVAR
> TESTVAR1=test
>
> # TESTVAR1='test' runuser -u monkeysphere -- bash -c set |grep TESTVAR
> TESTVAR1=test
>
> I will try to scrub the environment using 'env -i' and see if that
> introduces any breakages.
I tried this and it looks like this requires more changes and time which
I currently am short on. So, I am not proposing 'env -i' at this time.
[...]
>
> I belive this is because I have libpam-tmpdir installed on my test VM
> (FreedomBox). I will test my next patch without this.
I confirm that I no longer see problems with TMPDIR after removing
libpam-tmpdir from the system.
Thanks,
--
Sunil
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Use-runuser-instead-of-su.patch
Type: text/x-patch
Size: 8385 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-privacy-maintainers/attachments/20181029/f2692592/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-debian-Remove-shell-for-monkeysphere-user.patch
Type: text/x-patch
Size: 1313 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-privacy-maintainers/attachments/20181029/f2692592/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-privacy-maintainers/attachments/20181029/f2692592/attachment.sig>
More information about the Pkg-privacy-maintainers
mailing list