Bug#179846: xterm: not documented that xterm squelches ${TMPDIR}

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#179846: xterm: not documented that xterm squelches ${TMPDIR}
From: Matthew Swift <swift@alum.mit.edu>
Date: Tue, 04 Feb 2003 19:09:24 -0500
Message-id: <[🔎] 200302050009.h1509OqM013290@beth.swift.xxx>
Reply-to: Matthew Swift <swift@alum.mit.edu>, 179846@bugs.debian.org

Package: xterm
Version: 4.2.1-3
Severity: normal

The following seems to demonstrate that xterm squelches the environment
variable TMPDIR.  I'm guessing that it does this to close a security hole, but
the behavior is not documented in the man page or the README.debian file.  

I set TMPDIR in /etc/environment (I think the default /etc/environment does
this also).  My .xsession is a bash script that exports the settings in
/etc/environment to my window manager (Enlightenment).  (There may be another
mechanism that causes /etc/environment declarations to be exported to
xdm/X/window manager subprocesses, but my .xsession guarantees it by virtue of
being a Bash login shell.)  When I launch applications from my window manager's
menu system, they inherit the window manager's environment.  I count on this.
For example, my non-login Bash shells assume that the declarations in
/etc/environment (sourced and exported by /etc/profile) are in the environment.
An application changing environment variables unexpectedly is a security risk
of its own, e.g., this unexpected deletion makes the path ${TMPDIR}/home into
/home.

I myself will probably look into the sources to see whether xterm is deleting
any other envariables.  They should be listed in the documentation for everyone
to notice.


    [beth] swift> env -i bash --norc --noprofile
    bash-2.05b$ set; export TMPDIR=/tmp; export TMPTEST=/tmp
    BASH=/bin/bash
    BASH_VERSINFO=([0]="2" [1]="05b" [2]="0" [3]="1" [4]="release" [5]="i386-pc-linux-gnu")
    BASH_VERSION='2.05b.0(1)-release'
    COLUMNS=169
    DIRSTACK=()
    EUID=501
    GROUPS=()
    HISTFILE=/home/swift/.bash_history
    HISTFILESIZE=500
    HISTSIZE=500
    HOSTNAME=beth
    HOSTTYPE=i386
    IFS=$' \t\n'
    LINES=70
    MACHTYPE=i386-pc-linux-gnu
    MAILCHECK=60
    OPTERR=1
    OPTIND=1
    OSTYPE=linux-gnu
    PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
    PPID=11137
    PS1='\s-\v\$ '
    PS2='> '
    PS4='+ '
    PWD=/home/swift
    SHELL=/bin/bash
    SHELLOPTS=braceexpand:emacs:hashall:histexpand:history:interactive-comments:monitor
    SHLVL=1
    TERM=dumb
    UID=501
    _=bash
    bash-2.05b$ rm /tmp/result                                                                                                      
    bash-2.05b$ rm /tmp/result
    rm: cannot remove `/tmp/result': No such file or directory
    bash-2.05b$ /usr/bin/X11/xterm -display :0.0 -e bash --norc -noprofile -c 'echo TMPDIR=$TMPDIR and TMPTEST=$TMPTEST>/tmp/result'
    bash-2.05b$ cat /tmp/result
    TMPDIR= and TMPTEST=/tmp
    bash-2.05b$ 


-- System Information:
Debian Release: testing/unstable
Architecture: i386
Kernel: Linux beth 2.4.20 #1 Fri Jan 31 16:26:56 EST 2003 i686
Locale: LANG=C, LC_CTYPE=C

Versions of packages xterm depends on:
ii  debconf                  1.2.21          Debian configuration management sy
ii  libc6                    2.2.5-14.3      GNU C Library: Shared libraries an
ii  libfreetype6             2.1.2-9         FreeType 2 font engine, shared lib
ii  libncurses5              5.2.20020112a-8 Shared libraries for terminal hand
ii  libxaw7                  4.2.1-3         X Athena widget set library
ii  xlibs                    4.2.1-3         X Window System client libraries

-- debconf information:
* xterm/clobber_xresource_file: true
  xterm/xterm_needs_devpts:

Reply to:

Prev by Date: Bug#179789: Problem with X 4.2.1-5 and Radeons
Next by Date: Bug#179851: xserver-xfree86
Previous by thread: Bug#179789: Problem with X 4.2.1-5 and Radeons
Next by thread: Bug#179851: xserver-xfree86
Index(es):
- Date
- Thread