[Pkg-sysvinit-devel] Bug#631081: dpkg: please clean environment for maintainer scripts

Raphael Hertzog hertzog at debian.org
Tue Jun 21 06:50:43 UTC 2011 

On Mon, 20 Jun 2011, Witold Baryluk wrote:
> On 06-20 11:55, Aaron M. Ucko wrote:
> > retitle 631081 dpkg: please clean environment for maintainer scripts
> > reassign 631081 dpkg 1.16.0.3
> > thanks
> > 
> > As this bug's history shows, a recent libpam-afs-session upgrade made
> > cron start syslogging errors that turned out to stem from my personal
> > KRB5CCNAME setting having accidentally leaked into its environment.
> > (sudo preserves that variable by default, which is appropriate in many
> > contexts.)  I historically also ran into trouble with leakage from my
> > TEXMF setting (though I concede that sudo now filters that out itself),
> > and Russ Allbery mentioned problems with Debconf-related variables
> > leaking into xinetd invocations and from there ultimately into remote
> > shells, breaking subsequent aptitude runs.
> > 
> > To avoid such surprises, could dpkg please run maintainer scripts in
> > cleaned enviroments?
> 
> I have often problem with TMP or TMPDIR or TEMP leaking from root or other user
> into dpkg scripts. Removing them will be usefull.

I think that cleaning the environment will create way more problems than
what you expect.

- for a start, the debconf UI might be pre-existing and the environment
  variables are the way for debconf to know that it's already running
  and that the postinst doesn't need to restart the UI if it's already
  there.
- dropping http_proxy might break maintainer scripts calling wget or
  similar
- we obviously don't want to drop LANG and LC_* because we want the user
  to use his native language parameters
- we don't want to drop DISPLAY because debconf might want to open a
  configuration window
- respecting TMPDIR seems a good idea rather than a bad one
- etc.

Russ Allbery <rra at debian.org> writes:
> This is a bug that's been bothering me for a long time.  I'm not sure if
> aptitude or dpkg should be cleaning out the environment before invoking
> maintainer scripts, maintainer scripts should be cleaning the environment
> before running invoke-rc.d, or invoke-rc.d should be cleaning the
> environment, but *something* in that path really should.  In the past,

I think it should be invoke-rc.d or something below this.

For dpkg, the only place where it might be helpful is start-stop-daemon. But
not all packages use start-stop-daemon so I would prefer invoke-rc.d which is
enshrined in policy.

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Follow my Debian News ▶ http://RaphaelHertzog.com (English)
                      ▶ http://RaphaelHertzog.fr (Français)

More information about the Pkg-sysvinit-devel mailing list