bug#36785: Impossible to pull on foreign distro

[Maxim Cournoyer <maxim.cournoyer@gmail.com>]

[-- Attachment #1.1: Type: text/plain, Size: 3968 bytes --]

Hello,

Ludovic Courtès <ludo@gnu.org> writes:

> Maxim Cournoyer <maxim.cournoyer@gmail.com> skribis:
>
>> Indeed, the default recommended invocation to update the root's guix
>> could be changed to be 'sudo -i guix pull', which should work on all
>> systems including Ubuntu.
>
> Oh right.  Could you make this change in the manual?
>
> Thanks,
> Ludo’.

I looked at what was in the manual, and became less sure, thought maybe
'sudo -E' could be better, so I've done the following little experiment
using Docker to test an Ubuntu enviroment:

Here's the Dockerfile, with instructions to reproduce in it:

--8<---------------cut here---------------start------------->8---
FROM ubuntu

RUN apt-get update && apt-get install sudo
RUN useradd -ms /bin/bash user
RUN usermod -aG sudo user
RUN echo user:user | chpasswd

USER user

CMD bash

# To test (in the directory where this file is written as 'Dockerfile'):
# docker build .
# docker run -it --rm <container_id>

# Then run the following commands:
# export PATH=extra-stuff:$PATH
# sudo -E sh -c 'echo -e "env when using -E: \n$(env)\n\n"'
# sudo -i sh -c 'echo -e "env when using -i: \n$(env)\n\n"'
# sudo sh -c 'echo -e "env with plain sudo: $(env)\n\n"'
--8<---------------cut here---------------end--------------->8---

And the result:

--8<---------------cut here---------------start------------->8---
echo $PATH
echo $PATH
extra-stuff:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
0;user@e538556bf337: /\auser@e538556bf337:/$ sudo -E sh -c 'echo -e "env when using -E: \n$(env)\n\n"'
sudo -E sh -c 'echo -e "env when using -E: \n$(env)\n\n"'
-e env when using -E:
SUDO_GID=1000
USER=root
HOSTNAME=e538556bf337
SHLVL=1
HOME=/home/user
SUDO_UID=1000
LOGNAME=root
_=/usr/bin/sudo
TERM=xterm
USERNAME=root
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
LS_COLORS=rs=0:di=01;34:[...]

SUDO_COMMAND=/bin/sh -c echo -e "env when using -E:
$(env)

"
SHELL=/bin/bash
SUDO_USER=user
PWD=/

0;user@e538556bf337: /\auser@e538556bf337:/$ sudo -i sh -c 'echo -e "env when using -i: \n$(env)\n\n"'
sudo -i sh -c 'echo -e "env when using -i: \n$(env)\n\n"'
-e env when using -i:
SUDO_GID=1000
MAIL=/var/mail/root
USER=root
HOSTNAME=e538556bf337
SHLVL=1
HOME=/root
SUDO_UID=1000
LOGNAME=root
_=/bin/sh
USERNAME=root
TERM=xterm
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
LS_COLORS=rs=0:di=01;34:ln=01;36: [...]

$(env)

"
SHELL=/bin/bash
SUDO_USER=user
PWD=/root

user@e538556bf337: /\auser@e538556bf337:/$ sudo sh -c 'echo -e "env with plain sudo: $(env)\n\n"'
sudo sh -c 'echo -e "env with plain sudo: $(env)\n\n"'
-e env with plain sudo: SUDO_GID=1000
MAIL=/var/mail/root
USER=root
HOSTNAME=e538556bf337
HOME=/home/user
SUDO_UID=1000
LOGNAME=root
TERM=xterm
USERNAME=root
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
LS_COLORS=rs=0:di=01;34:ln=01;36: [...]
SUDO_COMMAND=/bin/sh -c echo -e "env with plain sudo: $(env)

"
SHELL=/bin/bash
SUDO_USER=user
PWD=/
--8<---------------cut here---------------end--------------->8---

What do we get from this?

Well, first, the user's PATH is *not* preserved when using 'sudo', at
least on Debian and Ubuntu.  These are configured out of the box to
reset the PATH to a 'safe' value, even when using the -E option of sudo.

We also see, as Ludovic found out, that the user's HOME is preserved for
the normal invocation of sudo on Ubuntu.

In light of this, I suggest the attached patch to our documentation.
It's a bit sub-optimal in that it modifies a section of the 'Guix
System', which behaved as described; but given that it's the only place
where we mention of 'sudo guix pull', better safe than sorry, I'd say
(foreign distribution users might read it, thinking it also applies to
themselves).

Does that seem worthwile/reasonable?


[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1.2: 0001-doc-Adapt-the-guix-pull-command-recommendation.patch --]
[-- Type: text/x-patch, Size: 2011 bytes --]

From bfa2f754592a00fefa4fcd20080582268b6273dd Mon Sep 17 00:00:00 2001
From: Maxim Cournoyer <maxim.cournoyer@gmail.com>
Date: Sat, 21 Sep 2019 20:36:04 +0900
Subject: [PATCH] doc: Adapt the guix pull command recommendation.

This change follows the discussion for issue #36785 (see:
https://bugs.gnu.org/36785).

* doc/guix.texi (After System Installation): Add the '-i' sudo option to the
suggested commands used to keep a Guix System up-to-date.  Although this
section is specific to Guix System, it is likely to be read by users of
foreign GNU/Linux distributions as well.  Remove the note, given that sudo
doesn't preserve the user's PATH on foreign distributions such as Debian.
---
 doc/guix.texi | 12 ++----------
 1 file changed, 2 insertions(+), 10 deletions(-)

diff --git a/doc/guix.texi b/doc/guix.texi
index 0ed59072c9..3690e3b152 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -2387,8 +2387,8 @@ Success, you've now booted into Guix System!  From then on, you can update the
 system whenever you want by running, say:
 
 @example
-guix pull
-sudo guix system reconfigure /etc/config.scm
+sudo -i guix pull
+sudo -i guix system reconfigure /etc/config.scm
 @end example
 
 @noindent
@@ -2396,14 +2396,6 @@ This builds a new system generation with the latest packages and services
 (@pxref{Invoking guix system}).  We recommend doing that regularly so that
 your system includes the latest security updates (@pxref{Security Updates}).
 
-@c See <https://lists.gnu.org/archive/html/guix-devel/2019-01/msg00268.html>.
-@quotation Note
-@cindex sudo vs. @command{guix pull}
-Note that @command{sudo guix} runs your user's @command{guix} command and
-@emph{not} root's, because @command{sudo} leaves @code{PATH} unchanged.  To
-explicitly run root's @command{guix}, type @command{sudo -i guix @dots{}}.
-@end quotation
-
 Join us on @code{#guix} on the Freenode IRC network or on
 @email{guix-devel@@gnu.org} to share your experience!
 
-- 
2.23.0


[-- Attachment #1.3: Type: text/plain, Size: 16 bytes --]


Thanks,

Maxim

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]