[Pkg-utopia-maintainers] Bug#996418: dbus-update-activation-environment: sets wrong PATH since March 2021

Thorsten Glaser t.glaser at tarent.de
Wed Oct 13 21:57:48 BST 2021


reassign 996418 xrdp
found 996418 0.9.15-1
retitle 996418 xrdp-sesman: fails to initialise environment properly
severity 996418 important
thanks

On Wed, 13 Oct 2021, Thorsten Glaser wrote:

(full quote below for the xrdp maintainers)

> Hi, not sure which package is actually at fault here, but here we go.
> Please reassign (and notify the target package maintainers) as needed.

Having looked at /proc/*/environ for the bogus string it seems to be
injected by xrdp-sesman. Comparing its PAM configuration to that of
su, kdm, etc. I found something obvious lacking (pam_env, which even
"man environment" on Debian points out is the thing loading it). And
the xrdp-sesman start script goes to larger pain to load the locale
(which I wrote probably preciely because this was missing); note I
did not and still do not know anything about PAM except roughly that
it exists ;-)

I just locally tested the following patch (fix this in the PAM config,
drop the locale-loading workaround), and it fixed my PATH for me:

--- a/debian/startwm.sh
+++ b/debian/startwm.sh
@@ -2,26 +2,6 @@
 # xrdp X session start script (c) 2015, 2017 mirabilos
 # published under The MirOS Licence
 
-if test -r /etc/default/locale; then
-	. /etc/default/locale
-	test -z "${LANG+x}" || export LANG
-	test -z "${LANGUAGE+x}" || export LANGUAGE
-	test -z "${LC_ADDRESS+x}" || export LC_ADDRESS
-	test -z "${LC_ALL+x}" || export LC_ALL
-	test -z "${LC_COLLATE+x}" || export LC_COLLATE
-	test -z "${LC_CTYPE+x}" || export LC_CTYPE
-	test -z "${LC_IDENTIFICATION+x}" || export LC_IDENTIFICATION
-	test -z "${LC_MEASUREMENT+x}" || export LC_MEASUREMENT
-	test -z "${LC_MESSAGES+x}" || export LC_MESSAGES
-	test -z "${LC_MONETARY+x}" || export LC_MONETARY
-	test -z "${LC_NAME+x}" || export LC_NAME
-	test -z "${LC_NUMERIC+x}" || export LC_NUMERIC
-	test -z "${LC_PAPER+x}" || export LC_PAPER
-	test -z "${LC_TELEPHONE+x}" || export LC_TELEPHONE
-	test -z "${LC_TIME+x}" || export LC_TIME
-	test -z "${LOCPATH+x}" || export LOCPATH
-fi
-
 if test -r /etc/profile; then
 	. /etc/profile
 fi
--- a/instfiles/pam.d/xrdp-sesman.debian
+++ b/instfiles/pam.d/xrdp-sesman.debian
@@ -1,4 +1,6 @@
 #%PAM-1.0
+auth required pam_env.so readenv=1
+auth required pam_env.so readenv=1 envfile=/etc/default/locale
 @include common-auth
 @include common-account
 @include common-session


Therefore, reassigning to xrdp (and pushing the fix to its packaging
repository). @xrdp team: this is one I think, after review/testing,
we might with to even fix in stable.

> This machine used to be an unstable machine but some time before the
> release I switched it to bullseye. The date range in question (February
> to March 2021) are when it still was on sid.
> 
> I have not yet noticed this because it only affects one command. The
> problem is that it picked up the "wrong" version of the command, the
> one from /usr/bin instead of the one from /usr/local/bin.
> 
> This machine is a regular desktop but also has xrdp+xorgxrdp installed
> so I can use it while working remotely. The xrdp sessions log to
> ~/.xsession-errors which is where I could spot the first possible cause
> for this error.
> 
> My ~/.xsession-errors contains, with some information snipped for
> legibility:
> 
> -----cutting here may damage your screen surface-----
> ⇒ Feb 25  2021, 16:22:09+0100 (CET), 2021-W08-4 (Thu) ⇐
> Xsession: X session started for tglase at Thu Feb 25 16:22:09 CET 2021
> WARNING: tempfile is deprecated; consider using mktemp instead.
> localuser:tglase being added to access control list
> localuser:boinc being added to access control list
> dbus-update-activation-environment: systemd --user not found, ignoring --systemd argument
> […]
> dbus-update-activation-environment: setting PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games
> […]
> Xsession: X session started for tglase at Fri Mar 12 19:11:35 CET 2021
> WARNING: tempfile is deprecated; consider using mktemp instead.
> localuser:tglase being added to access control list
> localuser:boinc being added to access control list
> X Error of failed request:  BadMatch (invalid parameter attributes)
>   Major opcode of failed request:  140 (RANDR)
> […]
> dbus-update-activation-environment: setting PATH=/sbin:/bin:/usr/bin:/usr/local/bin
> […]
> -----cutting here may damage your screen surface-----
> 
> From the top, these are:
> 
> - one line from my ~/.profile
> - 5 + 1 lines from the session start
> - 6 + 1 lines from the start of the next session
> 
> The lower session is definitely xrdp+xorgxrdp, as one of the xset
> calls from ~/.xsessionrc failed. The first call may very well be
> from kdm. These are the two oldest entries in that file.
> 
> There are *three* different PATH values set, apparently:
> 
> tglase at tglase:~ $ fgrep 'setting PATH=' .xsession-errors | sort | uniq -c
>       1 dbus-update-activation-environment: setting PATH=/home/tglase/.etc/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games
>      27 dbus-update-activation-environment: setting PATH=/sbin:/bin:/usr/bin:/usr/local/bin
>       1 dbus-update-activation-environment: setting PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games
> 
> The middle one is the one causing me trouble.
> 
> The first and the last one are okay and differ only by the first one
> having one entry prepended, which my shell startup file (not .profile
> but the actual interactive(!) shell startup file) sets. This was one
> session in June I have no idea how I started it, looks like Xorg, not
> xrdp+xorgxrdp though. (Normally, when starting services (such as a
> login manager) I use a wrapper script around /etc/init.d/* that clears
> all environment variables.)
> 
> So the questions are, (a) where does this bad environment variable
> come from, and (b) why is it also set in my user X session, when
> dbus-update-activation-environment runs as a separate thing, although
> in the X session start process?
> 
> I would have expected a user X11 session to use this:
> /etc/environment:PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games"
> 
> Instead we're getting a PATH set that nowhere even is configured:
> 
> $ sudo fgrep -r /sbin:/bin:/usr/bin:/usr/local/bin /etc
> /etc/init.d/edac:PATH=/sbin:/usr/sbin:/usr/local/sbin:/bin:/usr/bin:/usr/local/bin
> 
> Specifically, the presence of /sbin without /usr/sbin in the "bad"
> PATH causes questions; as far as I know, this is not used anywhere
> in Debian like that: either you get both sbins (admin account) or
> (almost everywhere) neither, but not just one of them.
> 
> -- System Information:
> Debian Release: 11.1
>   APT prefers stable-updates
>   APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'oldstable-updates'), (500, 'oldoldstable'), (500, 'stable'), (500, 'oldstable')
> Architecture: amd64 (x86_64)
> Foreign Architectures: i386
> 
> Kernel: Linux 5.10.0-9-amd64 (SMP w/4 CPU threads)
> Kernel taint flags: TAINT_FIRMWARE_WORKAROUND
> Locale: LANG=C, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
> Shell: /bin/sh linked to /bin/lksh
> Init: sysvinit (via /sbin/init)
> 
> Versions of packages dbus-x11 depends on:
> ii  dbus         1.12.20-2
> ii  libc6        2.31-13+deb11u2
> ii  libdbus-1-3  1.12.20-2
> ii  libx11-6     2:1.7.2-1
> 
> dbus-x11 recommends no packages.
> 
> dbus-x11 suggests no packages.
> 
> -- no debconf information
> 

bye,
//mirabilos
-- 
Infrastrukturexperte • tarent solutions GmbH
Am Dickobskreuz 10, D-53121 Bonn • http://www.tarent.de/
Telephon +49 228 54881-393 • Fax: +49 228 54881-235
HRB AG Bonn 5168 • USt-ID (VAT): DE122264941
Geschäftsführer: Dr. Stefan Barth, Kai Ebenrett, Boris Esser, Alexander Steeg

                        ****************************************************
/⁀\ The UTF-8 Ribbon
╲ ╱ Campaign against      Mit dem tarent-Newsletter nichts mehr verpassen:
 ╳  HTML eMail! Also,     https://www.tarent.de/newsletter
╱ ╲ header encryption!
                        ****************************************************



More information about the Pkg-utopia-maintainers mailing list