Install scriptlets source root users .bashrc when pacman is run through sudo

brainpower brainpower at mailbox.org
Sat Nov 6 16:25:14 UTC 2021 

Hi,

recently I had very weird behavior when running pacman from an unprivileged user account using sudo compared to running `sudo -i` and then running pacman from the root user on one of my Arch Linux systems.

In the first case, post_upgrade, post_install or similar where NOT run, in the second case they ran fine.
I was very confused by that, spent quite some time staring at pacman.conf, /etc/sudoers and /etc/sudo.conf comparing those to machines where this weird behavior did not happen
and not spotting any differences...

I then had the idea to `strace -f` both cases, and found the following:

When running `sudo pacman ...` the bash process spawned by pacman to execute the install script reads and executes "/root/.bashrc"
and I had some old leftover code in there which basicly did `exit 0` (my default shell is zsh, so that went unnoticed)
thus exiting bash before it could execute the packages install script.

When executing pacman from a root shell (even when gained by `sudo -i` for example)
the spawned bash does not source "/root/.bashrc".
(Which is the behavior I'd expect, since it should be a non-interactive bash process, right?)

I've added a simple testcase below that shows both behaviors.


So, I guess in the first case bash considers itself to be interactive somehow even if it should not?
I've got no idea how it could come to that conclusion...
IIRC, one usually checks if stdin is a tty, pty or something like that
and bash does indeed something like that if I read this correctly: https://git.savannah.gnu.org/cgit/bash.git/tree/shell.c#n523
Though having '-c' should even short-cuircuit that "if" to not even try to check for ttys.
But maybe it does something weird later...

Also in _alpm_run_chroot() I see that stdin, stdout and stderr get closed and then connected to pipes,
before execv() so they couldn't even be a tty or pty... or can they?
But then they would have to be even when pacman is not run through sudo... I'd guess.


So I'm kind of stuck at figuring out why that happens.

Anyone of you seeing something I'm missing here?



I did of course remove that old code from that .bashrc which caused the initial problem,
so package install scripts run fine now.
But pacman should maybe try to disable/remove such side effects if it can?




root at pc # cat /root/.bashrc
echo "This is /root/.bashrc !"


user at pc % sudo pacman -U installtest-1-1-x86_64.pkg.tar.zst
loading packages...
warning: installtest-1-1 is up to date -- reinstalling
resolving dependencies...
looking for conflicting packages...

Package (1)  Old Version  New Version  Net Change

installtest  1-1          1-1            0.00 MiB


:: Proceed with installation? [Y/n]
(1/1) checking keys in keyring                     [######################] 100%
(1/1) checking package integrity                   [######################] 100%
(1/1) loading package files                        [######################] 100%
(1/1) checking for file conflicts                  [######################] 100%
(1/1) checking available disk space                [######################] 100%
:: Processing package changes...
(1/1) reinstalling installtest                     [######################] 100%
This is /root/.bashrc !
post_upgrade 1-1 1-1
:: Running post-transaction hooks...
(1/1) Update pacman-ps data

user at pc % sudo -i

root at pc # pacman -U installtest-1-1-x86_64.pkg.tar.zst
loading packages...
warning: installtest-1-1 is up to date -- reinstalling
resolving dependencies...
looking for conflicting packages...

Package (1)  Old Version  New Version  Net Change

installtest  1-1          1-1            0.00 MiB


:: Proceed with installation? [Y/n]
(1/1) checking keys in keyring                     [######################] 100%
(1/1) checking package integrity                   [######################] 100%
(1/1) loading package files                        [######################] 100%
(1/1) checking for file conflicts                  [######################] 100%
(1/1) checking available disk space                [######################] 100%
:: Processing package changes...
(1/1) reinstalling installtest                     [######################] 100%
post_upgrade 1-1 1-1
:: Running post-transaction hooks...
(1/1) Update pacman-ps data


user at pc % cat PKGBUILD

pkgname=installtest
pkgver=1
pkgrel=1
arch=(x86_64)
install=installtest.install

package() {
   true
}

user at pc % cat installtest.install
post_upgrade() {
   echo "post_upgrade" "$@"
}
post_install() {
   echo "post_install" "$@"
}
post_remove() {
   echo "post_remove" "$@"
}



-- 
regards,
brainpower
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/pacman-dev/attachments/20211106/334627d1/attachment.sig>

More information about the pacman-dev mailing list