| Summary: | inconsistent treatment of environment variables | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 5 | Reporter: | Jason Bradley Nance <jbnance> | ||||
| Component: | initscripts | Assignee: | Lukáš Nykrýn <lnykryn> | ||||
| Status: | CLOSED CURRENTRELEASE | QA Contact: | qe-baseos-daemons | ||||
| Severity: | unspecified | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 5.7 | CC: | initscripts-maint-list, jbnance, notting, paolo.penzo | ||||
| Target Milestone: | rc | Keywords: | Reopened | ||||
| Target Release: | --- | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | |||||||
| : | 795539 (view as bug list) | Environment: | |||||
| Last Closed: | 2013-03-11 12:27:16 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Attachments: |
|
||||||
|
Description
Jason Bradley Nance
2012-01-16 16:09:52 UTC
*** This bug has been marked as a duplicate of bug 564093 *** Thanks for finding the other bug. However, the issue is either back, or was never actually fixed in both RHEL 5.7 and 6.2. I can't re-open the main bug, so reporting here. Neither the -m nor -p options for run user are anywhere in the daemon() function. Regression? runuser doesn't actually clear the environment variables.
runuser is based on 'su' code. If you look at 'info su invocation' (ugh, info files!):
...
`-'
`-l'
`--login'
Make the shell a login shell. This means the following. Unset all
environment variables except `TERM', `HOME', and `SHELL' (which
are set as described above), and `USER' and `LOGNAME' (which are
set, even for the super-user, as described above), and set `PATH'
to a compiled-in default value. Change to USER's home directory.
Prepend `-' to the shell's name, intended to make it read its
login startup file(s). When this option is given, /etc/pam.d/su-l
PAM file is used instead of the default one.
`-m'
`-p'
`--preserve-environment'
Do not change the environment variables `HOME', `USER', `LOGNAME',
or `SHELL'. Run the shell given in the environment variable
`SHELL' instead of the shell from USER's passwd entry, unless the
user running `su' is not the super-user and USER's shell is
restricted. A "restricted shell" is one that is not listed in the
file `/etc/shells', or in a compiled-in list if that file does not
exist. Parts of what this option does can be overridden by
`--login' and `--shell'.
...
So, what the change was in RHEL 5 and RHEL 6 was to drop the '-' from the commandline invocation, which should prevent variables from being unset. Passing -m or -p only affects certain variables, not generic ones.
What variables are you having problems with? Do you have an example script?
I'm attaching an example script. I tried to trim out as much fat as possible to demonstrate the issue (while still making it usable vs. theoretical). Sorry if it is appears cluttered. The start() function has been copied from the stock RHEL httpd init script with the exception of check13() was removed for this demonstration and --user was added to the call to daemon(). In the script, when the start() function uses daemon() (from /etc/init.d/functions), the variables that are exported in the script do not appear in the Apache process' environment. Instead, you get an environment as if it was a login shell. If you replace daemon() with mdaemon() (which is an exact copy of daemon() from functions except for -m has been added to the runuser command) in the start() function, you see the variables exported in the script in the Apache environment. I'm dumping the list of environment variables using a PHP script in the web root with nothing but phpinfo() in it. j Created attachment 556125 [details]
Script to start httpd process as non-root user and demonstrate issue
Environment as reported by phpinfo() using daemon(): HOSTNAME <the host name> SHELL /bin/bash HISTSIZE 150000 USER r11740 LS_COLORS no value SVVS_HOME /data02/svvs TNS_ADMIN /usr/lib/oracle/11.2/client64/network/admin MAIL /var/spool/mail/r11740 PATH /usr/local/bin:/bin:/usr/bin:/data02/svvs/bin:/usr/lib/oracle/11.2/client64/bin INPUTRC /etc/inputrc PWD /data02/apache/11740-svvs_test_1 LANG en_US.UTF-8 SHLVL 1 HOME /data02/apache/11740-svvs_test_1 LOGNAME r11740 LESSOPEN |/usr/bin/lesspipe.sh %s ORACLE_HOME /usr/lib/oracle/11.2/client64 G_BROKEN_FILENAMES 1 _ /usr/sbin/httpd Environment as reported by phpinfo() using mdaemon(): FOO bar PHP_INI_SCAN_DIR /data02/apache/11740-svvs_test_1/conf/php.d PATH /sbin:/usr/sbin:/bin:/usr/bin TNS_ADMIN /usr/lib/oracle/11.2/client64/network/admin PWD /root LANG C SHLVL 1 ORACLE_HOME /usr/lib/oracle/11.2/client64 _ /usr/sbin/httpd Note that ORACLE_HOME and TNS_ADMIN are set both in the script and the login shell. Sorry for that confusion. Hi, I was wondering if there was any update to this issue or if any additional information is needed. Thanks! Is the patch presented in 795539 valid for RHEL 5? Both RHEL 5 (as of 8.45.31-1) and RHEL 6 (as of 9.03.9-1) should be the same. Sorry about the delayed response - haven't had a chance to investigate deeper what's going on. I don't see a -m or -p in the runuser call with initscripts 8.45.38-2 on RHEL 5. See comment #3. Alrighty, thanks, I get it now. I wish I would have made a note of the version of initscripts that I was using to produce the bug 'cause the test box I'm using has been updated to the most recent version of everything and, of course, is working fine now. *facepalm* The new behaviour is quite dangerous since it could break startup scripts which assume to start in a clear or login environment when the --user option is used. Extra variables can still be read from the user profile or can be inserted in the commandline, i.e. daemon --user myuser "export VAR1=content1 VAR2=content2; /path/to/my/daemon-binary" So IMHO the daemon function should always clean the environment and preserving the root environment should be an extra option of the daemon function itself. Based on comment 14, this issue was already fixed -> closed. |