Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Recent update to upstream sudo broke Archlinux template updates #9395

Closed
vx-sec opened this issue Aug 8, 2024 · 2 comments · Fixed by QubesOS/qubes-core-agent-linux#519
Closed

Recent update to upstream sudo broke Archlinux template updates #9395

vx-sec opened this issue Aug 8, 2024 · 2 comments · Fixed by QubesOS/qubes-core-agent-linux#519
Assignees
@alimirjamali
Labels
affects-4.2 This issue affects Qubes OS 4.2. C: Arch Linux The Arch Linux template diagnosed Technical diagnosis has been performed (see issue comments). P: default Priority: default. Default priority for new issues, to be replaced given sufficient information. pr submitted A pull request has been submitted for this issue. T: bug Type: bug report. A problem or defect resulting in unintended behavior in something that exists.

Comments

@vx-sec
Copy link

vx-sec commented Aug 8, 2024

Qubes OS release

R4.2

Brief summary

Archlinux upstream decided to include secure_path by default in sudoers. It's a problem for us because we use set /run/qubes/bin/pacman in PATH so our pacman with set tinyproxy runs. The new update prevents Archlinux from updating by preventing PATH from being propagated during sudo pacman -Syu

https://gitlab.archlinux.org/archlinux/packaging/packages/sudo/-/commit/e5e504db273b7b0a3990da6a8acf9d515d654ec6

Steps to reproduce

Update an Archlinux template so that it gets sudo 1.9.15.p5-2. Try sudo pacman -Syu again.

Expected behavior

The system updates.

Actual behavior

The system fails to upgrade because the /usr/bin/pacman is used, preventing it from using our updates proxy.
@vx-sec vx-sec added P: default Priority: default. Default priority for new issues, to be replaced given sufficient information. T: bug Type: bug report. A problem or defect resulting in unintended behavior in something that exists. labels Aug 8, 2024
@andrewdavidwong andrewdavidwong added C: Arch Linux The Arch Linux template needs diagnosis Requires technical diagnosis from developer. Replace with "diagnosed" or remove if otherwise closed. affects-4.2 This issue affects Qubes OS 4.2. labels Aug 8, 2024
@alimirjamali
Copy link

alimirjamali commented Aug 9, 2024
edited
Loading

To be certain, is this only applicable if you try to update manually via sudo pacman -Syu from the terminal emulator?

qubes-vm-update --targets archlinux --force-update -v should work?
GUI updater should work?
sudo -i and them pacman -Syu should work?

p.s. This is still a bug. But most users would face it when trying sudo pacman -Sy packages to install packages rather than during updates.

alimirjamali added a commit to alimirjamali/qubes-core-agent-linux that referenced this issue Aug 15, 2024
@alimirjamali
Patch /etc/sudoers on Archlinux
de5ef37 
fixes: QubesOS/qubes-issues#9395
alimirjamali added a commit to alimirjamali/qubes-core-agent-linux that referenced this issue Aug 15, 2024
@alimirjamali
Patch /etc/sudoers on Archlinux
886ed96 
fixes: QubesOS/qubes-issues#9395
@alimirjamali alimirjamali mentioned this issue Aug 15, 2024
Merged
@alimirjamali
Copy link

PR Submitted

Review priority: medium

alimirjamali added a commit to alimirjamali/qubes-core-agent-linux that referenced this issue Aug 15, 2024
@alimirjamali
Patch /etc/sudoers on Archlinux
7f8c04c 
fixes: QubesOS/qubes-issues#9395
@andrewdavidwong andrewdavidwong added diagnosed Technical diagnosis has been performed (see issue comments). pr submitted A pull request has been submitted for this issue. and removed needs diagnosis Requires technical diagnosis from developer. Replace with "diagnosed" or remove if otherwise closed. labels Aug 16, 2024
alimirjamali added a commit to alimirjamali/qubes-core-agent-linux that referenced this issue Aug 16, 2024
@alimirjamali
Patch /etc/sudoers on Archlinux
bbb7901 
fixes: QubesOS/qubes-issues#9395
@qubesos-bot qubesos-bot mentioned this issue Sep 26, 2024
Closed
marmarek pushed a commit to QubesOS/qubes-core-agent-linux that referenced this issue Nov 5, 2024
@alimirjamali @marmarek
Patch /etc/sudoers on Archlinux
6cbf7c0 
fixes: QubesOS/qubes-issues#9395
(cherry picked from commit a9d5886)
@qubesos-bot qubesos-bot mentioned this issue Nov 5, 2024
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@alimirjamali alimirjamali

Labels
affects-4.2 This issue affects Qubes OS 4.2. C: Arch Linux The Arch Linux template diagnosed Technical diagnosis has been performed (see issue comments). P: default Priority: default. Default priority for new issues, to be replaced given sufficient information. pr submitted A pull request has been submitted for this issue. T: bug Type: bug report. A problem or defect resulting in unintended behavior in something that exists.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Patch /etc/sudoers on Archlinux alimirjamali/qubes-core-agent-linux
3 participants
@alimirjamali @andrewdavidwong @vx-sec