severity 842877 minor retitle 842877 apt: should sanitize environment more thoroughly kthxbye On Wed, Nov 02, 2016 at 02:38:20AM +0100, David Kalnischkies wrote: > On Tue, Nov 01, 2016 at 11:49:39PM +0000, brian m. carlson wrote: > > 1. Add a new mirror to /etc/apt/sources.list. > > Can you go into more detail what you do in this step please? > Are you installing -keyring packages perhaps? No, simply adding a new Debian mirror is sufficient. In fact, that's not even required. All that's required is to make apt validate a GnuPG signature, so this will happen at least once a day anyway. It doesn't occur if apt doesn't validate a signature. > > 2. Set "extra-socket ~/.gnupg/S.gpg-agent-extra" in your user's > > ~/.gnupg/gpg-agent.conf > > 3. As an unprivileged user in the sudo group, run "sudo -E apt-get update". > > 4. Notice that there is now a root-owned gpg-agent running which has > > inherited your user's homedir and configuration settings. > > 5. Notice that your extra socket has been overwritten by root's gpg-agent. > > apt-key as called by apt doesn't use gnupg. The functionality apt is > using from apt-key is gpgv only and that isn't spawning agents or > whatever as there is no secret key material to protect. > > So, figuring out what is calling gpg would be good – or what is calling > apt-key [which likely shouldn't be called it]. Ah, I think the problem could be that you end up invoking $SHELL (for me, zsh) somewhere (directly or indirectly), and therefore triggering my shell to spawn a new gpg-agent, since it reads from my home directory. I can work around this issue, but I would say you probably don't want either my $HOME or my $SHELL for subprocesses. In fact, you probably want to sanitize the environment for subprocesses more thoroughly altogether to avoid this problem. I know apt has broken in the past because it inherited a root-only $TMPDIR. -- brian m. carlson / brian with sandals: Houston, Texas, US +1 832 623 2791 | https://www.crustytoothpaste.net/~bmc | My opinion only OpenPGP: https://keybase.io/bk2204
Attachment:
signature.asc
Description: PGP signature