From mboxrd@z Thu Jan 1 00:00:00 1970 From: =?UTF-8?Q?G=C3=A1bor?= Boskovits Subject: bug#36785: Impossible to pull on foreign distro Date: Wed, 18 Sep 2019 01:33:40 +0200 Message-ID: References: <6733C9AB-E5C1-4B63-8F0E-04CD1BB32338@lepiller.eu> <874l39ra37.fsf@gnu.org> <3DC355B8-FE36-4C4E-BBC9-EEC5F580AF0D@lepiller.eu> <87tvb9qktd.fsf@gnu.org> <87woe6fune.fsf@gnu.org> Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="0000000000002cde500592c82710" Return-path: Received: from eggs.gnu.org ([2001:470:142:3::10]:51520) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1iAMyy-0000n4-LE for bug-guix@gnu.org; Tue, 17 Sep 2019 19:34:06 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1iAMyw-000789-QC for bug-guix@gnu.org; Tue, 17 Sep 2019 19:34:04 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:44587) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1iAMyw-00077v-7y for bug-guix@gnu.org; Tue, 17 Sep 2019 19:34:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1iAMyv-0003Bf-Rl for bug-guix@gnu.org; Tue, 17 Sep 2019 19:34:01 -0400 Sender: "Debbugs-submit" Resent-Message-ID: In-Reply-To: <87woe6fune.fsf@gnu.org> List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org Sender: "bug-Guix" To: Ludovic =?UTF-8?Q?Court=C3=A8s?= Cc: 36785@debbugs.gnu.org --0000000000002cde500592c82710 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hello Ludo, Ludovic Court=C3=A8s ezt =C3=ADrta (id=C5=91pont: 2019. szep= t. 18., Sze, 0:04): > Hi, > > Ludovic Court=C3=A8s skribis: > > > Indeed. I added =E2=80=98pk=E2=80=99 calls to print =E2=80=98%profile-= directory=E2=80=99 and > > (canonicalize-profile %user-profile-directory), and here=E2=80=99s what= I see > > with =E2=80=98sudo=E2=80=99: > > > > $ sudo -E ./pre-inst-env guix pull > > > > ;;; (pd "/var/guix/profiles/per-user/root") > > > > ;;; (upd "/home/ludo/.config/guix/current") > > I used =E2=80=98-E=E2=80=99 above, which is why HOME was ~ludo instead of= ~root. > Without =E2=80=98-E=E2=80=99, HOME is ~root as expected, and so =E2=80=9C= sudo guix pull=E2=80=9D does > the right thing (this is on Guix System): > > --8<---------------cut here---------------start------------->8--- > $ sudo guix repl > GNU Guile 2.2.4 > Copyright (C) 1995-2017 Free Software Foundation, Inc. > > Guile comes with ABSOLUTELY NO WARRANTY; for details type `,show w'. > This program is free software, and you are welcome to redistribute it > under certain conditions; type `,show c' for details. > > Enter `,help' for help. > scheme@(guix-user)> (getenv "HOME") > $1 =3D "/root" > scheme@(guix-user)> ,m(guix scripts pull) > scheme@(guix scripts pull)> %profile-directory > $2 =3D "/var/guix/profiles/per-user/root" > scheme@(guix scripts pull)> %user-profile-directory > $3 =3D "/root/.config/guix/current" > scheme@(guix scripts pull)> (cache-directory) > $4 =3D "/root/.cache/guix" > scheme@(guix scripts pull)> (config-directory) > $5 =3D "/root/.config/guix" > --8<---------------cut here---------------end--------------->8--- > > So =E2=80=98sudo guix pull=E2=80=99 really updates root=E2=80=99s profile= and writes to > ~root/.cache, everything is fine. > > Done? > > I investigated a bit, tried Debian, then Ubuntu, and found that =E2=80=98= sudo=E2=80=99 > on Ubuntu behaves differently: it preserves =E2=80=98HOME=E2=80=99 by def= ault: > > $ sudo env | grep HOME > HOME=3D/home/ubuntu > > This is written here: > > > https://help.ubuntu.com/community/RootSudo#Special_notes_on_sudo_and_shel= ls > > (That=E2=80=99s with sudo 1.8.21p2, FWIW.) > > Ubuntu=E2=80=99s /etc/sudoers doesn=E2=80=99t have anything special. Act= ually, Debian > has (almost) the same /etc/sudoers and yet it does not preserve HOME. > > (Time passes=E2=80=A6) > > Digging further, I fetched the source from > , and boom! I found the > culprit: it=E2=80=99s called =E2=80=98debian/patches/keep_home_by_default= .patch=E2=80=99. > > --8<---------------cut here---------------start------------->8--- > Description: Set HOME in initial_keepenv_table > Set HOME in initial_keepenv_table; without this, $HOME will never be > preserved unless added to keep_env. There's appropriate logic to handle > resetting the home for -H and -i options, so this is the only part that'= s > missing. > Author: Steve Langasek > --- a/plugins/sudoers/env.c > +++ b/plugins/sudoers/env.c > @@ -189,6 +189,7 @@ > "COLORS", > "DISPLAY", > "DPKG_COLORS", > + "HOME", > "HOSTNAME", > "KRB5CCNAME", > "LS_COLORS", > --8<---------------cut here---------------end--------------->8--- > > (This patch is playing with fire IMO. If you=E2=80=99re an Ubuntu user, > consider reporting a bug!) > > But anyway, what can we do? > > We could ignore the issue, it=E2=80=99s-Ubuntu=E2=80=99s-fault, done. > > We could also add some logic to detect whether (1) we=E2=80=99re running = under > sudo, and in that case, and whether (2) $HOME matches $USER=E2=80=99s hom= e > directory as it appears in /etc/passwd. If both conditions are > satisfied, we could ignore $HOME and use the home directory from > /etc/passwd instead. > > But=E2=80=A6 that=E2=80=99s complicated, and it=E2=80=99d break uses of = =E2=80=98sudo -H=E2=80=99. > > We could apply the patch I posted earlier, which simply disables profile > migration when SUDO_USER is set. That won=E2=80=99t address the fact tha= t root > writes to the user=E2=80=99s ~/.cache, but there=E2=80=99s not much we ca= n do here. > > Thoughts? > We could simply document a proper sudo invocation for updating root's guix, that always works. Wdyt? We could provide it simply as a hint if it fails. > > Ludo=E2=80=99. > > > > Best regards, g_bor --=20 OpenPGP Key Fingerprint: 7988:3B9F:7D6A:4DBF:3719:0367:2506:A96C:CF63:0B21 --0000000000002cde500592c82710 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hello Ludo,

Ludovic Court=C3=A8s <ludo@gnu.org> ezt =C3=ADrta (id=C5=91pont: = 2019. szept. 18., Sze, 0:04):
Hi,

Ludovic Court=C3=A8s <= ludo@gnu.org> skribis:

> Indeed.=C2=A0 I added =E2=80=98pk=E2=80=99 calls to print =E2=80=98%pr= ofile-directory=E2=80=99 and
> (canonicalize-profile %user-profile-directory), and here=E2=80=99s wha= t I see
> with =E2=80=98sudo=E2=80=99:
>
> $ sudo -E ./pre-inst-env guix pull
>
> ;;; (pd "/var/guix/profiles/per-user/root")
>
> ;;; (upd "/home/ludo/.config/guix/current")

I used =E2=80=98-E=E2=80=99 above, which is why HOME was ~ludo instead of ~= root.
Without =E2=80=98-E=E2=80=99, HOME is ~root as expected, and so =E2=80=9Csu= do guix pull=E2=80=9D does
the right thing (this is on Guix System):

--8<---------------cut here---------------start------------->8---
$ sudo guix repl
GNU Guile 2.2.4
Copyright (C) 1995-2017 Free Software Foundation, Inc.

Guile comes with ABSOLUTELY NO WARRANTY; for details type `,show w'. This program is free software, and you are welcome to redistribute it
under certain conditions; type `,show c' for details.

Enter `,help' for help.
scheme@(guix-user)> (getenv "HOME")
$1 =3D "/root"
scheme@(guix-user)> ,m(guix scripts pull)
scheme@(guix scripts pull)> %profile-directory
$2 =3D "/var/guix/profiles/per-user/root"
scheme@(guix scripts pull)> %user-profile-directory
$3 =3D "/root/.config/guix/current"
scheme@(guix scripts pull)> (cache-directory)
$4 =3D "/root/.cache/guix"
scheme@(guix scripts pull)> (config-directory)
$5 =3D "/root/.config/guix"
--8<---------------cut here---------------end--------------->8---

So =E2=80=98sudo guix pull=E2=80=99 really updates root=E2=80=99s profile a= nd writes to
~root/.cache, everything is fine.

Done?

I investigated a bit, tried Debian, then Ubuntu, and found that =E2=80=98su= do=E2=80=99
on Ubuntu behaves differently: it preserves =E2=80=98HOME=E2=80=99 by defau= lt:

=C2=A0 $ sudo env | grep HOME
=C2=A0 HOME=3D/home/ubuntu

This is written here:

=C2=A0 https://help.ubunt= u.com/community/RootSudo#Special_notes_on_sudo_and_shells

(That=E2=80=99s with sudo 1.8.21p2, FWIW.)

Ubuntu=E2=80=99s /etc/sudoers doesn=E2=80=99t have anything special.=C2=A0 = Actually, Debian
has (almost) the same /etc/sudoers and yet it does not preserve HOME.

(Time passes=E2=80=A6)

Digging further, I fetched the source from
<https://packages.ubuntu.com/bionic/sudo>, and boom= ! I found the
culprit: it=E2=80=99s called =E2=80=98debian/patches/keep_home_by_default.p= atch=E2=80=99.

--8<---------------cut here---------------start------------->8---
Description: Set HOME in initial_keepenv_table
=C2=A0Set HOME in initial_keepenv_table; without this, $HOME will never be =
=C2=A0preserved unless added to keep_env.=C2=A0 There's appropriate log= ic to handle
=C2=A0resetting the home for -H and -i options, so this is the only part th= at's
=C2=A0missing.
Author: Steve Langasek <steve.langasek@canonical.com>
--- a/plugins/sudoers/env.c
+++ b/plugins/sudoers/env.c
@@ -189,6 +189,7 @@
=C2=A0 =C2=A0 =C2=A0"COLORS",
=C2=A0 =C2=A0 =C2=A0"DISPLAY",
=C2=A0 =C2=A0 =C2=A0"DPKG_COLORS",
+=C2=A0 =C2=A0 "HOME",
=C2=A0 =C2=A0 =C2=A0"HOSTNAME",
=C2=A0 =C2=A0 =C2=A0"KRB5CCNAME",
=C2=A0 =C2=A0 =C2=A0"LS_COLORS",
--8<---------------cut here---------------end--------------->8---

(This patch is playing with fire IMO.=C2=A0 If you=E2=80=99re an Ubuntu use= r,
consider reporting a bug!)

But anyway, what can we do?

We could ignore the issue, it=E2=80=99s-Ubuntu=E2=80=99s-fault, done.

We could also add some logic to detect whether (1) we=E2=80=99re running un= der
sudo, and in that case, and whether (2) $HOME matches $USER=E2=80=99s home<= br> directory as it appears in /etc/passwd.=C2=A0 If both conditions are
satisfied, we could ignore $HOME and use the home directory from
/etc/passwd instead.

But=E2=80=A6 that=E2=80=99s complicated, and it=E2=80=99d break uses of =E2= =80=98sudo -H=E2=80=99.

We could apply the patch I posted earlier, which simply disables profile migration when SUDO_USER is set.=C2=A0 That won=E2=80=99t address the fact = that root
writes to the user=E2=80=99s ~/.cache, but there=E2=80=99s not much we can = do here.

Thoughts?

We could simply document a pr= oper sudo invocation for updating root's guix, that
always wo= rks. Wdyt?

We could provide it simply as a hint if= it fails.
=C2=A0

Ludo=E2=80=99.




Best regards,
g_b= or
--
OpenPGP Key Fingerprint: 7988:3B9F:7D6A:4DBF:3719:0367:2506:A96C:C= F63:0B21
--0000000000002cde500592c82710--