1. Forum
  2. Usenet
  3. LINUX.DEBIAN.DEVEL

  • Re: The apt tool chain doesn't seem to sanitize it's environment

    From Aaron Rainbolt@21:1/5 to John Darrah on Tue Mar 25 00:30:01 2025
    On Mon, 24 Mar 2025 13:59:00 -0700
    John Darrah <xyllyx@gmail.com> wrote:

    I encountered the following error while upgrading a 'testing/trixie'
    install.

    Setting up network-manager (1.52.0-5) ...
    Insecure $ENV{CDPATH} while running with -T switch at /usr/share/perl5/Debian/AdduserLogging.pm line 157.
    dpkg: error processing package network-manager (--configure):
    installed network-manager package post-installation script
    subprocess returned error exit status 25

    I unset CDPATH, then reinstalled and it completed without an error. I
    would think the apt toolchain should not allow the root interactive environment to be exposed while installing packages.

    This isn't really the fault of apt. apt may legitimately need to
    change its behavior in response to environment variables, and there are packages (at least outside of the Debian archive, and maybe inside as
    well) that change their behavior depending on the environment they're
    called with. Kicksecure's packages are an example of this, and they
    very much benefit from the environment propagating like this.

    The program that should be sanitizing your environment is whatever
    privilege escalation tool you're using (usually sudo). If it's not
    sanitizing your environment properly, you may want to check your
    sudoers configuration and change it so it does sanitize things
    properly. Alternatively, if you're logging in as root and then running
    apt, you can use "env -i" to sanitize the environment before calling
    apt.

    --
    Aaron

    -- john

    -----BEGIN PGP SIGNATURE-----

    iQIzBAEBCgAdFiEEudh48PFXwyPDa0wGpwkWDXPHkQkFAmfh6CMACgkQpwkWDXPH kQmulhAAxl6wQzGAvRpxquCbnKekQsL9t/42FsEt2VUVLbtCJhBF8fz8UBwKFuyM r0xLQET3lvLJl/TmNnwoDPf+ZtxPnAl62Wvxp89NFrkznJ4cRK/+6KvS/35ZtTyf YBtmLefFfHDzQbPPfx9KoNTdZEoztdtoblCnEKa/vKH80v+D5i9N36pl+1YyU5rd o1pRgjRkbo1J3VJU392PmYxV/EneJjj0gdgO8bthD6paeRDnQiVfKVQvmds+TY4p 7Clz2+YJofhVlb+0yXEFgGy0hKDPCsaypzXztsQXHvtwnNaQzYkk1uR9N6NGTHCN YXmY6I91dKq0kmQisI0v/Tb6WaydyZ33oYZKJyWUZ4CRvbGo+f3vK5/D2CtTXOv+ hQKxbSaLfLXiXYfbO9EjA/Fk3g0ktfBjlT9L3aXZCbC60Fg/NqKIVaUh+Z6utFi8 BMVJblYMcsg4RBOHJeo62O6UAsXozggB5KORnX2DXis735/m9hVJaZDFIYHG4EdD D/FYJgXf4LD/OKR9dcpRJnZb6dKGWw01hhT+y/GSecEi14lDdJ6yFnrQ0qg99QO5 o9GcURaJPnxvq4CoInl2aI4Ht+CggoLvTuXg9AevbaK68M9JXcgPUbMfBECWi1hH 9u8ZsFu4fgpSFPPwF1WWRC11MqRMY5+RusiahMnQoW4MCZKeG3o=
    =h5UB
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Marc Haber@21:1/5 to All on Tue Mar 25 08:40:01 2025
    On Mon, 24 Mar 2025 13:59:00 -0700, John Darrah <xyllyx@gmail.com>
    wrote:
    Insecure $ENV{CDPATH} while running with -T switch at
    /usr/share/perl5/Debian/AdduserLogging.pm line 157.

    As this is another instance of probably the same issue in adduser:
    Should adduser clear out its environment completely when invoked?

    In the mean time, I have added code to adduser to unset $ENV{CDPATH}.

    Greetings
    Marc
    --
    ---------------------------------------------------------------------------- Marc Haber | " Questions are the | Mailadresse im Header Rhein-Neckar, DE | Beginning of Wisdom " |
    Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fon: *49 6224 1600402

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)