You are not logged in.

#1 2013-03-05 00:20:52

ackalker
Member
Registered: 2012-11-27
Posts: 198

makepkg should sanitize $PATH before building a package

After pulling my hair out for about an hour about why building aur/texmacs-pure package ended up having files in my $HOME dir in it, I would like to recommend the following:

makepkg should definitely (by default or as an option) have the capability to sanitize the $PATH before building packages.

What happened to me is actually quite benign, but it could be worse: people may have private builds of compilers, build tools, system utilities, etc. on their $PATH, and these would be used without warning by any upstream build system which isn't careful about this.

I would suggest setting

PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin

, as is done at the top of /etc/profile, or perhaps source /etc/profile entirely, in order to pick up additions to $PATH done by any dependency packages. Also, any PKGBUILDS that absolutely need to have extra things on the $PATH, can easily set it inside the build() or package() functions.

Any comments or suggestions are welcome.

Last edited by ackalker (2013-03-05 00:25:44)

Offline

#2 2013-03-05 00:24:06

graysky
Member
From: /run/user/1000
Registered: 2008-12-01
Posts: 8,531
Website

Re: makepkg should sanitize $PATH before building a package

Probably better if you made this a bug report rather than a forum post.


CPU-optimized Linux-ck packages @ Repo-ck  • AUR packagesZsh and other configs

Offline

#3 2013-03-05 00:28:26

ackalker
Member
Registered: 2012-11-27
Posts: 198

Re: makepkg should sanitize $PATH before building a package

You're probably right, but I didn't want to risk a simple, harsh 'wontfix' reply from the devs to cause this (IMHO) important issue to be swept under the rug ;-)

Last edited by ackalker (2013-03-05 00:28:43)

Offline

#4 2013-03-05 08:13:18

tomk
Forum Fellow
From: Ireland
Registered: 2004-07-21
Posts: 9,838

Re: makepkg should sanitize $PATH before building a package

I think you'd better explain your issue a bit more, before asking for global changes to makepkg. I just built that package with no problems - it contains the following files:

$ pacman -Qlp ../texmacs-pure-0.57-2-x86_64.pkg.tar.xz
texmacs-pure /usr/
texmacs-pure /usr/share/
texmacs-pure /usr/share/TeXmacs/
texmacs-pure /usr/share/TeXmacs/packages/
texmacs-pure /usr/share/TeXmacs/packages/puredoc.ts
texmacs-pure /usr/share/TeXmacs/plugins/
texmacs-pure /usr/share/TeXmacs/plugins/pure/
texmacs-pure /usr/share/TeXmacs/plugins/pure/doc/
texmacs-pure /usr/share/TeXmacs/plugins/pure/doc/pure-abstract.en.tm
texmacs-pure /usr/share/TeXmacs/plugins/pure/doc/pure-descr.en.tm
texmacs-pure /usr/share/TeXmacs/plugins/pure/doc/pure-texmacs.en.tm
texmacs-pure /usr/share/TeXmacs/plugins/pure/doc/pure.en.tm
texmacs-pure /usr/share/TeXmacs/plugins/pure/progs/
texmacs-pure /usr/share/TeXmacs/plugins/pure/progs/init-pure.scm
texmacs-pure /usr/share/TeXmacs/plugins/pure/progs/pure-input.scm
texmacs-pure /usr/share/TeXmacs/plugins/pure/progs/texmacs.pure

I have encountered the files-from-$HOME-in-package issue once or twice,but it was always traced back to a faulty PKGBUILD, Has this happened with any other packages you built?

Offline

#5 2013-03-05 09:46:27

Allan
Developer
From: Brisbane, AU
Registered: 2007-06-09
Posts: 10,409
Website

Re: makepkg should sanitize $PATH before building a package

If you want packages built in a clean environment, build them in a clean environment...  Look into devtools.

Offline

#6 2013-03-05 15:12:07

ackalker
Member
Registered: 2012-11-27
Posts: 198

Re: makepkg should sanitize $PATH before building a package

@tomk: Perhaps you missed the link to the AUR in my first post. In a comment I explained exactly what happened, but I'll summarize it here:

I am using a wrapper script (which is in ${HOME}/bin, which is on my $PATH) for starting TeXmacs. This wrapper gets picked up by upstream's Makefile, which in turn decides that $HOME must be where I've installed TeXmacs.

I think that requiring people to setup a proper buildroot just to build a few packages every now and then is a bit too much to ask, an option to clean out the environment variables with which they are built is more than enough to remedy 99% of the potential problems.

Last edited by ackalker (2013-03-05 15:19:18)

Offline

#7 2013-03-05 15:15:55

jakobcreutzfeldt
Member
Registered: 2011-05-12
Posts: 1,033

Re: makepkg should sanitize $PATH before building a package

I think it's a pretty wise rule not to muck around with other people's environments in your program. What if you, for whatever reason, actually want makepkg to use a modified PATH? It's not up to the devs to decide whether or not that situation might ever arise, because the moment it does, they'll have to deal with a complaint about makepkg changing the user's PATH without their explicit intent to do so.

Offline

#8 2013-03-05 15:22:11

ackalker
Member
Registered: 2012-11-27
Posts: 198

Re: makepkg should sanitize $PATH before building a package

Packages are meant to be installed system-wide, so you can reverse the question: is it okay for a package's build system to muck about with the system-wide environment (by incorporating random user settings into it) when the package is installed?

Last edited by ackalker (2013-03-05 15:25:06)

Offline

#9 2013-03-05 15:26:17

ackalker
Member
Registered: 2012-11-27
Posts: 198

Re: makepkg should sanitize $PATH before building a package

Insecure RPATHs are one prime example where the general verdict seems to be a resounding 'No'.

Offline

#10 2013-03-05 15:31:44

jakobcreutzfeldt
Member
Registered: 2011-05-12
Posts: 1,033

Re: makepkg should sanitize $PATH before building a package

ackalker wrote:

Packages are meant to be installed system-wide, so you can reverse the question: is it okay for a package's build system to muck about with the system-wide environment (by incorporating random user settings into it) when the package is installed?

But then that's a problem that needs to be fixed in the package upstream, not in makepkg.

Offline

#11 2013-03-05 15:38:49

ackalker
Member
Registered: 2012-11-27
Posts: 198

Re: makepkg should sanitize $PATH before building a package

Other potential culprits (gathered from a one-minute Google search):

$JAVA_HOME
$PYTHONPATH
$GOPATH
$GHC_PACKAGE_PATH

Offline

#12 2013-03-05 15:48:41

jakobcreutzfeldt
Member
Registered: 2011-05-12
Posts: 1,033

Re: makepkg should sanitize $PATH before building a package

ackalker wrote:

Packages are meant to be installed system-wide,

Also, that statement is false. Unless a package has a shitty build system, it should be able to accept the "prefix" and "DESTDIR" variables, which allow the user to install wherever he wants, which may not necessarily be system-wide.

Offline

#13 2013-03-05 16:29:04

tomk
Forum Fellow
From: Ireland
Registered: 2004-07-21
Posts: 9,838

Re: makepkg should sanitize $PATH before building a package

ackalker wrote:

I am using a wrapper script (which is in ${HOME}/bin, which is on my $PATH) for starting TeXmacs. This wrapper gets picked up by upstream's Makefile, which in turn decides that $HOME must be where I've installed TeXmacs.

OK... if I understand you correctly, you're suggesting that makepkg should be altered to workaround a known upstream bug? yikes

Offline

#14 2013-03-05 21:32:29

Allan
Developer
From: Brisbane, AU
Registered: 2007-06-09
Posts: 10,409
Website

Re: makepkg should sanitize $PATH before building a package

makepkg will not change in this regard - as I said above, build your packages in a clean chroot using devtools.

Offline

#15 2013-03-05 21:39:17

tomk
Forum Fellow
From: Ireland
Registered: 2004-07-21
Posts: 9,838

Re: makepkg should sanitize $PATH before building a package

If you're responding to me, Allan, well yeah, I already know that. smile

I guess I want the OP to give his original request a bit more thought.

Offline

#16 2013-03-05 22:02:28

Xyne
Moderator/TU
Registered: 2008-08-03
Posts: 5,688
Website

Re: makepkg should sanitize $PATH before building a package

#!/bin/bash
PATH=... \
JAVA_HOME=... \
PYTHONPATH=... \
GOPATH=... \
GHC_PACKAGE_PATH=... \
/usr/bin/makepkg "$@"

Offline

#17 2013-03-05 22:26:57

Allan
Developer
From: Brisbane, AU
Registered: 2007-06-09
Posts: 10,409
Website

Re: makepkg should sanitize $PATH before building a package

tomk wrote:

If you're responding to me, Allan, well yeah, I already know that. smile

More of a reinforcement of your message than a reply.

Offline

#18 2013-04-07 18:12:51

ackalker
Member
Registered: 2012-11-27
Posts: 198

Re: makepkg should sanitize $PATH before building a package

I'm sitting on a solution which I want to test some more.
Basically, the script
- clears out the environment by recursively calling itself using env -i
- sources the files under /etc/profile.d
- adds any variables with values specified by the user
- finally, executes the command specified by the user

I might post it when I'm satisfied with it.

Offline

Board footer

Powered by FluxBB