Discussion:
The apt tool chain doesn't seem to sanitize it's environment
(too old to reply)
John Darrah
2025-03-24 21:00:01 UTC
Permalink
I encountered the following error while upgrading a 'testing/trixie' install.

Setting up network-manager (1.52.0-5) ...
Insecure $ENV{CDPATH} while running with -T switch at
/usr/share/perl5/Debian/AdduserLogging.pm line 157.
dpkg: error processing package network-manager (--configure):
installed network-manager package post-installation script
subprocess returned error exit status 25

I unset CDPATH, then reinstalled and it completed without an error. I
would think the apt toolchain should not allow the root interactive
environment to be exposed while installing packages.

-- john
Aaron Rainbolt
2025-03-24 23:30:01 UTC
Permalink
On Mon, 24 Mar 2025 13:59:00 -0700
Post by John Darrah
I encountered the following error while upgrading a 'testing/trixie' install.
Setting up network-manager (1.52.0-5) ...
Insecure $ENV{CDPATH} while running with -T switch at
/usr/share/perl5/Debian/AdduserLogging.pm line 157.
installed network-manager package post-installation script
subprocess returned error exit status 25
I unset CDPATH, then reinstalled and it completed without an error. I
would think the apt toolchain should not allow the root interactive
environment to be exposed while installing packages.
This isn't really the fault of apt. apt may legitimately need to
change its behavior in response to environment variables, and there are
packages (at least outside of the Debian archive, and maybe inside as
well) that change their behavior depending on the environment they're
called with. Kicksecure's packages are an example of this, and they
very much benefit from the environment propagating like this.

The program that should be sanitizing your environment is whatever
privilege escalation tool you're using (usually sudo). If it's not
sanitizing your environment properly, you may want to check your
sudoers configuration and change it so it does sanitize things
properly. Alternatively, if you're logging in as root and then running
apt, you can use "env -i" to sanitize the environment before calling
apt.

--
Aaron
Post by John Darrah
-- john
Marc Haber
2025-03-25 07:40:01 UTC
Permalink
Post by John Darrah
Insecure $ENV{CDPATH} while running with -T switch at
/usr/share/perl5/Debian/AdduserLogging.pm line 157.
As this is another instance of probably the same issue in adduser:
Should adduser clear out its environment completely when invoked?

In the mean time, I have added code to adduser to unset $ENV{CDPATH}.

Greetings
Marc
--
----------------------------------------------------------------------------
Marc Haber | " Questions are the | Mailadresse im Header
Rhein-Neckar, DE | Beginning of Wisdom " |
Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fon: *49 6224 1600402
Loading...