Bug#573325: openssh-client: ssh-agent strips LD_LIBRARY_PATH from user profile in X sessions
Package: x11-common
Version: 1:7.5+8
File: /etc/X11/Xsession.d/90x11-common_ssh-agent
/etc/X11/Xsession.d/90x11-common_ssh-agent nowadays saves and
restores TMPDIR:
STARTUP=$SSHAGENT $SSHAGENTARGS ${TMPDIR:+env TMPDIR=$TMPDIR} $STARTUP
Please consider tunneling LD_LIBRARY_PATH in the same way.
Until then, I've added a similar hack in ~/.xsessionrc.
I spent half an hour searching for what deleted the variable
(and now more complaining about it...). It's documented in
/usr/share/doc/openssh-client/README.Debian.gz (since bug
#167974), but I didn't originally know ssh-agent was the cause,
so didn't look there. Perhaps this should be mentioned in
Xsession(5) as well?
Also, I think the problem could be fixed with two executables.
A not-setgid wrapper would create a pipe and fork. The child
process would write all of its environment variables to the pipe
and exit. The parent process would exec the setgid ssh-agent and
tell it the file descriptor of the pipe. The setgid ssh-agent
would lose some environment variables on startup but read them
all back from the pipe and eventually pass them to execle().
pgpB53XrEh6ue.pgp
Description: PGP signature
Bug#573325: openssh-client: ssh-agent strips LD_LIBRARY_PATH from user profile in X sessions
Hi Julien, Julien Bigot julien.bi...@ifrance.com (10/03/2010): ssh-agent as launched by /etc/X11/Xsession.d/90x11-common_ssh-agent is the parent of every user process in an X session however, ssh-agent is suid root and thus removes LD_LIBRARY_PATH from its environment as a result, setting LD_LIBRARY_PATH in your environement does not work for X sessions The second approach where ssh-agent generate shell commands should be used instead. With this approach it is not the father of other processes anymore. (oh, une machine para*) I guess it would be nice to have a proposed tested patch, so that we can discuss its inclusion. KiBi. signature.asc Description: Digital signature
Bug#573325: openssh-client: ssh-agent strips LD_LIBRARY_PATH from user profile in X sessions
severity 573325 wishlist tag 573325 moreinfo kthxbye Julien Bigot julien.bi...@ifrance.com (10/03/2010): ssh-agent as launched by /etc/X11/Xsession.d/90x11-common_ssh-agent is the parent of every user process in an X session however, ssh-agent is suid root and thus removes LD_LIBRARY_PATH from its environment as a result, setting LD_LIBRARY_PATH in your environement does not work for X sessions The second approach where ssh-agent generate shell commands should be used instead. With this approach it is not the father of other processes anymore. I'm not sure that's a good plan. The way it's currently started, the ssh-agent process dies together with the session, that would probably not happen if we start it as suggested. Cheers, Julien -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#573325: openssh-client: ssh-agent strips LD_LIBRARY_PATH from user profile in X sessions
Package: openssh-client Version: 1:5.3p1-3 Severity: normal ssh-agent as launched by /etc/X11/Xsession.d/90x11-common_ssh-agent is the parent of every user process in an X session however, ssh-agent is suid root and thus removes LD_LIBRARY_PATH from its environment as a result, setting LD_LIBRARY_PATH in your environement does not work for X sessions The second approach where ssh-agent generate shell commands should be used instead. With this approach it is not the father of other processes anymore. Best regards, Julien -- System Information: Debian Release: squeeze/sid APT prefers unstable APT policy: (990, 'unstable'), (500, 'testing'), (1, 'experimental') Architecture: i386 (i686) Kernel: Linux 2.6.32-2-686 (SMP w/2 CPU cores) Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages openssh-client depends on: ii adduser3.112 add and remove users and groups ii debconf [debconf-2.0] 1.5.28Debian configuration management sy ii dpkg 1.15.5.6 Debian package management system ii libc6 2.10.2-6 Embedded GNU C Library: Shared lib ii libedit2 2.11-20080614-1 BSD editline and history libraries ii libgssapi-krb5-2 1.8+dfsg~alpha1-7 MIT Kerberos runtime libraries - k ii libssl0.9.80.9.8m-2 SSL shared libraries ii passwd 1:4.1.4.2-1 change and administer password and ii zlib1g 1:1.2.3.4.dfsg-3 compression library - runtime Versions of packages openssh-client recommends: ii openssh-blacklist 0.4.1 list of default blacklisted OpenSS ii openssh-blacklist-extra 0.4.1 list of non-default blacklisted Op ii xauth 1:1.0.4-1 X authentication utility Versions of packages openssh-client suggests: pn keychain none (no description available) pn libpam-sshnone (no description available) pn ssh-askpass none (no description available) -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#573325: openssh-client: ssh-agent strips LD_LIBRARY_PATH from user profile in X sessions
reassign 573325 x11-common thanks On Wed, Mar 10, 2010 at 05:03:55PM +0100, Julien Bigot wrote: ssh-agent as launched by /etc/X11/Xsession.d/90x11-common_ssh-agent is the parent of every user process in an X session however, ssh-agent is suid root and thus removes LD_LIBRARY_PATH from its environment as a result, setting LD_LIBRARY_PATH in your environement does not work for X sessions The second approach where ssh-agent generate shell commands should be used instead. With this approach it is not the father of other processes anymore. I mostly tend to agree, although note that your alternative approach makes it difficult to ensure that ssh-agent goes away when the X session dies. Something would need to be done about that; I don't know what. In any case, this file is shipped by x11-common rather than by openssh-client, so reassigning there. -- Colin Watson [cjwat...@debian.org] -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
