nixos/system-environment: fix variable substitution #70137
Conversation
ofborg
bot
added
6.topic: nixos
|
Yeah, although we're doing something a bit weird here in matching up normal environment variables and |
We were only replacing them in the profiles. We also need to do this in the values of variables, including both the session-relative variables and the non-session-relative variables.
`@` synax is for `PAM_ITEM`s, `HOME` needs to use `$`.
worldofpeace
force-pushed
the
fix-pam-variable-subst
branch
from
81358ac to
d8b9742
Compare
worldofpeace
changed the title
Right, so it was only a suggestion for maybe someone else in the future to maybe notice 😄 Thanks again for fixing this 👍 |
ofborg
bot
removed
6.topic: nixos
nixos/system-environment: fix variable substitution (cherry picked from commit 49bc1bf)
| # We're trying to use the same syntax for PAM variables and env variables. | ||
| # That means we need to map the env variables that people might use to their | ||
| # equivalent PAM variable. | ||
| # Note: PAM_USER is a PAM_ITEM, HOME is an environment variable, they have |
There was a problem hiding this comment.
So actually '@{HOME}is special, and there are important reasons for preferring it which are outlined inman pam_env.conf`:
(Possibly non-existent) environment variables may be used in values using the ${string} syntax and (possibly non-existent)
PAM_ITEMs as well as HOME and SHELL may be used in values using the @{string} syntax. Both the $ and @ characters can be
backslash escaped to be used as literal values values can be delimited with "", escaped " not supported. Note that many
environment variables that you would like to use may not be set by the time the module is called. For example, ${HOME} is
used below several times, but many PAM applications don't make it available by the time you need it. The special variables
@{HOME} and @{SHELL} are expanded to the values for the user from his passwd entry.
I remember running into problems when using $HOME instead of @{HOME} (as the quoted bit above says, HOME often isn't set by the time it's needed) but bouncing through commit logs on various machines I'm not finding evidence of such a (mis-)adventure. It may have been related to sshd/sudo, but regardless I am inclined to suggest we continue to prefer @{HOME} in pam-processed bits. That said I'm still sorting through this and similar recent changes and don't quite have it all in my head just yet :).
There was a problem hiding this comment.
If the docs say that, it's still a fairly easy change to revert
- replaceEnvVars = replaceStrings ["$HOME" "$USER"] ["\${HOME}" "@{PAM_USER}"];
+ replaceEnvVars = replaceStrings ["$HOME" "$USER"] ["@{HOME}" "@{PAM_USER}"];and wasn't the motivation for this change anyways.
There was a problem hiding this comment.
Ah, here we go. Test is sudo env-- with the latest changes it's clear everything is wrong (HOME isn't set as described above, so all the variables are borked), reverting to use @{HOME} fixes them again.
Please confirm/test and let me know what you find.
Possibly part of what's going on with #70418, but don't have a full story explaining that behavior just yet.
There was a problem hiding this comment.
Ahh I see. Testing this change now. PR incoming since it should be completely fine.
There was a problem hiding this comment.
@dtzWill Yep sudo env now looks right.
There was a problem hiding this comment.
❤️ thanks for quick response, will take a look! And yes I don't think this will be hard to fix or require big reverts or anything :).
…e-subst" This reverts commit 08e03bf.
|
Rats, sorry, I read the documentation but evidently not enough! What I thought was a comprehensive list of |
|
No worries, I'm not even sure this means it's a "PAM_ITEM" or if pam_env handles them in addition to "actual" "PAM_ITEM"s or if we care if it's a "PAM_ITEM" or not 😁. I saw you mention checking |
That's what I got from the doc as well. And no worries, you might have noticed even the best of break things regularly 😄 As long as the release doesn't see it we're usually fine. |
…-variable-subst"" This reverts commit 9f9fea1.
Motivation for this change
There were two issues:
HOMEisn't aPAM_ITEMso we need to use${HOME}.Fixes #69316.
Someone other than me should also test this!
Things done
sandboxinnix.confon non-NixOS)nix-shell -p nix-review --run "nix-review wip"./result/bin/)nix path-info -Sbefore and after)Notify maintainers
cc @worldofpeace