Bug 619533 - mock is not clearing the environment when it drops privs
mock is not clearing the environment when it drops privs
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: mock (Show other bugs)
rawhide
All Linux
low Severity medium
: ---
: ---
Assigned To: Clark Williams
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-07-29 14:43 EDT by Toshio Ernie Kuratomi
Modified: 2013-01-10 01:06 EST (History)
4 users (show)

See Also:
Fixed In Version: mock-1.1.17-1.fc15
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-10-24 19:00:10 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Toshio Ernie Kuratomi 2010-07-29 14:43:46 EDT
Description of problem:

Recently I built a package in mock who's unittests attempts to invoke a non-existent program and checked that OSError, 2 -- File not found is returned.

In a local system, this works fine.  In mock, it returns Permission Denied instead.  A bit of debugging shows that the code searches the PATH for the non-existent program.  In mock, the PATH includes /root/bin/ which the mock user is not allowed to search.

I think what's happening is that when mock is invoked it needs root privileges to create the chroot.  When it drops privileges in the chroot, it fails to reset its environment to what a user would have.  This means that the unprivileged user has PATH set as though they were root instead of a PATH appropriate for themselves.  Doing this reset of the environment should solve the problem.

Version-Release number of selected component (if applicable):
mock-1.1.1-1.fc13.noarch

How reproducible:
Everytime

Steps to Reproduce:
1. Create a spec file that prints the PATH.  For instance,

%prep
echo "$PATH"
echo "$HOME"

2. Build the package in mock
3.
  
Actual results:
The environment variables printed would be appropriate for the root user.

Expected results:
Environment variables printed would be appropriate for the non-privileged user that mock is running as.

Additional info:
For this particular problem, I was able to work around it by setting PATH manually:

%check
PATH=/bin:/usr/bin
nosetests
Comment 1 Clark Williams 2010-08-17 17:13:36 EDT
I'm looking at how we start subprocesses and how we could pass in an appropriate environment mapping based on the privilege level we have at the time of the call, but I'm not sure this is going to be an easy fix. I believe it means we have to maintain two environment mappings, one from our startup (privileged) and another which is a subset of that, with path components removed. It can be done but the potential for us missing something and causing havoc is high, so I don't want to just throw something together. 

Actually, looking at the environment I have as a user, I would really like to trim that down to a manageable set. Obviously we need PATH and HOME. Not sure whether we need TERM, LANG, SHELL, TMPDIR, TZ and USER.
Comment 2 Fedora Admin XMLRPC Client 2011-03-11 13:09:10 EST
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 3 Clark Williams 2011-10-12 18:43:01 EDT
added the clean_env() function to py/mockbuild/util.py for use in the --shell operation. I need to make sure that I've got all the env variables actually needed but if that function looks ok, I'll add it to the main routine that runs things inside the chroot.
Comment 4 Clark Williams 2011-10-12 18:44:06 EDT
Here's what I'm setting up in clean_env() and the return value is used to to replace os.environ:

def clean_env():
    env = {'TERM' : 'vt100',
           'SHELL' : '/bin/bash',
           'HOME' : '/builddir', 
           'HOSTNAME' : 'mock',
           'TMPDIR' : '/tmp' }
    env['LANG'] = os.environ.setdefault('LANG', 'en_US.UTF-8')
    env['TZ'] = os.environ.setdefault('TZ', 'EST5EDT')
    return env
Comment 5 Clark Williams 2011-10-13 14:12:27 EDT
ok, added the above logic to my tree and queued for mock-1.1.16 release
Comment 6 Fedora Update System 2011-10-14 12:29:11 EDT
mock-1.1.16-1.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/mock-1.1.16-1.fc15
Comment 7 Fedora Update System 2011-10-14 12:30:14 EDT
mock-1.0.23-1.el5 has been submitted as an update for Fedora EPEL 5.
https://admin.fedoraproject.org/updates/mock-1.0.23-1.el5
Comment 8 Fedora Update System 2011-10-14 12:31:18 EDT
mock-1.1.16-1.fc14 has been submitted as an update for Fedora 14.
https://admin.fedoraproject.org/updates/mock-1.1.16-1.fc14
Comment 9 Fedora Update System 2011-10-14 12:32:18 EDT
mock-1.1.16-1.el6 has been submitted as an update for Fedora EPEL 6.
https://admin.fedoraproject.org/updates/mock-1.1.16-1.el6
Comment 10 Fedora Update System 2011-10-15 16:25:37 EDT
Package mock-1.1.16-1.fc14:
* should fix your issue,
* was pushed to the Fedora 14 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing mock-1.1.16-1.fc14'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2011-14382
then log in and leave karma (feedback).
Comment 11 Fedora Update System 2011-10-24 19:00:10 EDT
mock-1.1.16-1.fc14 has been pushed to the Fedora 14 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 12 Fedora Update System 2011-10-24 19:05:32 EDT
mock-1.1.16-1.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 13 Fedora Update System 2011-11-01 11:41:12 EDT
mock-1.1.17-1.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/mock-1.1.17-1.fc15
Comment 14 Fedora Update System 2011-11-01 11:42:28 EDT
mock-1.1.17-1.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/mock-1.1.17-1.fc16
Comment 15 Fedora Update System 2011-11-01 11:43:44 EDT
mock-1.1.17-1.fc14 has been submitted as an update for Fedora 14.
https://admin.fedoraproject.org/updates/mock-1.1.17-1.fc14
Comment 16 Fedora Update System 2011-11-01 11:45:11 EDT
mock-1.0.24-1.el5 has been submitted as an update for Fedora EPEL 5.
https://admin.fedoraproject.org/updates/mock-1.0.24-1.el5
Comment 17 Fedora Update System 2011-11-01 11:46:28 EDT
mock-1.1.17-1.el6 has been submitted as an update for Fedora EPEL 6.
https://admin.fedoraproject.org/updates/mock-1.1.17-1.el6
Comment 18 Fedora Update System 2011-11-10 20:23:26 EST
mock-1.1.17-1.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 19 Fedora Update System 2011-11-26 14:24:31 EST
mock-1.1.17-1.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 20 Fedora Update System 2011-11-26 14:25:52 EST
mock-1.0.24-1.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 21 Fedora Update System 2011-11-26 18:03:09 EST
mock-1.1.17-1.fc14 has been pushed to the Fedora 14 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 22 Fedora Update System 2011-11-26 18:07:18 EST
mock-1.1.17-1.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.