Le quartidi 14 floréal, an CCXXIII, Jonathan Dowland a écrit : > This is inevitable with http_proxy, sadly, as there is no one place you can > put things that will guarantee that all processes with get them as environment > variables, and no guarantee that all processes will honour http_proxy anyway. This is true, but completely irrelevant in this case because the discussion is not about ALL processes, it is about this particular instance of the user's shell and apt-get. > There are drawbacks to doing it. With -E it's potentially passing > dangerous environment variables up to the super process. With whitelisting > the http_proxy you're exposing yourself to attacks where a malicious > person/process/whatever can point apt (or other things) at a malicious > http_proxy. Once again, this is true but irrelevant for this discussion. Sanitizing the environment against possible dangerous values is necessary when granting LIMITED privileges with sudo, i.e. allowing to run only some specific commands with elevated privileges. When granting UNLIMITED privileges, i.e. allowing to run any command with sudo, sanitizing the environment is just a matter of convenience. > Using 'sudo apt-get -o Acquire::http::Proxy=...' is so laborious that the > user is almost guaranteed to define a bash function or alias or something > else to save on typing. By which point they may as well have put it in the > apt configuration. And when the address of the proxy will change, they will have a hard figuring out what is wrong with apt-get. That is one of the drawback of your proposed solution. The major drawback, of course, is that you are suggesting a fix without having understood the problem first. This is a very bad habit. Regards, -- Nicolas George
Attachment:
signature.asc
Description: Digital signature