FS#56683 - [shadow] filesystem 2017.10-2 wrong $PATH order because /etc/login.defs vs /etc/profile collision

Attached to Project: Arch Linux
Opened by Natrio (natrio) - Monday, 11 December 2017, 17:29 GMT
Last edited by Sébastien Luttringer (seblu) - Tuesday, 19 December 2017, 12:57 GMT
Task Type Bug Report
Category Packages: Core
Status Closed
Assigned To Dave Reisner (falconindy)
Sébastien Luttringer (seblu)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 8
Private No

Details

After filesystem upgrade to 2017.10-2 the PATH variable have wrong order like /usr/bin:/usr/local/sbin:/usr/local/bin:...

As a result, this raises the priority packaged executables higher than local executables, and it is a problem, if some commands are locally redefined.

Previously PATH was like /usr/local/sbin:/usr/local/bin:/usr/bin:... , and revertind to filesystem-2017.03-2 can also turns it back.

The collision is between /etc/login.defs file:

-------------------------------
ENV_SUPATH PATH=/usr/bin
ENV_PATH PATH=/usr/bin
-------------------------------

and /etc/profile :

-------------------------------
appendpath () {
case ":$PATH:" in
*:"$1":*)
;;
*)
PATH="$PATH:$1"
esac
}

appendpath '/usr/local/sbin'
appendpath '/usr/local/bin'
appendpath '/usr/bin'
-------------------------------

As we see, the PATH firstly defined as "/usr/bin" in login.defs, and AFTER that appended to "/usr/bin:/usr/local/sbin:/usr/local/bin" .

Last "appendpath '/usr/bin'" line was not affected, because it already present in PATH.
This task depends upon

Closed by  Sébastien Luttringer (seblu)
Tuesday, 19 December 2017, 12:57 GMT
Reason for closing:  Fixed
Additional comments about closing:  4.5-4
Comment by Eli Schwartz (eschwartz) - Monday, 11 December 2017, 17:41 GMT
I noticed this before in https://bugs.archlinux.org/task/47884#comment163291 but apparently this did not get fixed before moving the new filesystem to core.
Comment by Natrio (natrio) - Monday, 11 December 2017, 17:52 GMT
I don't think it only in [shadow] package.

So, if PATH is empty on start of /etc/profile script, it caused PATH=:/usr/local/sbin:/usr/local/bin:/usr/bin as result, because appendpath() always adding ":" before any dir.
Comment by Douglas McFadzean (ninian) - Monday, 11 December 2017, 19:03 GMT
We use /usr/local/bin extensively to locally "front" various system programs in /usr/bin.
(Surely this is an entirely reasonable way to use PATH and the /usr/local/bin directory?)
This problem badly impacted on our usage of several systems; various programs were just not behaving as expected.
For us, the severity is medium, but we have worked around by resetting PATH to sensible ordering within the Openbox environment.
Comment by Eli Schwartz (eschwartz) - Monday, 11 December 2017, 19:28 GMT
@natrio,

Interesting, good catch!

@seblu,

I think appendpath should be using PATH="${PATH:+$PATH:}$1". This is specified by POSIX to only add the : if PATH already contains something in it.
Comment by Sébastien Luttringer (seblu) - Monday, 11 December 2017, 23:15 GMT
I will fix the appendpath in the next filesystem release. Thanks Eli and Natrio.

I didn't catch the order issue before, will look tomorrow.
Comment by Sébastien Luttringer (seblu) - Saturday, 16 December 2017, 16:31 GMT
So, I pushed a shadow 4.5-4 with default arch PATH in login.defs. New filesystem version will arrive soon.
Comment by Natrio (natrio) - Saturday, 16 December 2017, 17:12 GMT
@seblu,
testing/shadow 4.5-4 works for me, thanks!

Loading...