Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Unable to override the TMPDIR environment variable #2641

Open
bertogg opened this issue Jan 28, 2019 · 10 comments

Comments

@bertogg
Copy link

commented Jan 28, 2019

Linux distribution and version

Debian r9.7 ("stretch") and Debian testing

Flatpak version

1.0.6
(Debian 1.0.6-1~bpo9+1 for stretch and 1.0.6-2 for testing)

Description of the problem

It's not possible to override the TMPDIR environment variable (neither with the --env command-line option nor with the [Environment] section on the metadata file).

Steps to reproduce

$ flatpak run --env=TMPDIR=foobar --command=sh APP_NAME
sh-4.4$ echo $TMPDIR

sh-4.4$

Additional information

This is working fine with Flatpak 1.0.3 from Fedora 29 Silverblue, and reportedly also with version 1.0.6 from the same distribution.

Here's an example of an actual bug where this is causing problems: flathub/org.telegram.desktop#62

@smcv

This comment has been minimized.

Copy link
Contributor

commented Jan 29, 2019

Debian does not apply any patches to Flatpak related to TMPDIR, so I don't know why this would be different.

@bertogg

This comment has been minimized.

Copy link
Author

commented Jan 29, 2019

Ok, I found the problem.

The bubblewrap binary has the setuid bit set in Debian, and glibc removes some environment variables from those programs, including TMPDIR:

https://sourceware.org/git/?p=glibc.git;a=blob_plain;f=sysdeps/generic/unsecvars.h;hb=HEAD

@smcv

This comment has been minimized.

Copy link
Contributor

commented Jan 29, 2019

Hmm, yes. In principle Flatpak could pass those variables through (if set) with bwrap --setenv instead?

@smcv

This comment has been minimized.

Copy link
Contributor

commented Jan 29, 2019

TMPDIR might well be the only interesting one in that list in practice.

@bertogg

This comment has been minimized.

Copy link
Author

commented Jan 29, 2019

That sounds like a good solution.

jurf referenced this issue in flathub/org.telegram.desktop Jan 30, 2019
@philmmanjaro

This comment has been minimized.

Copy link

commented Jul 1, 2019

Happend here some progress or is sysctl kernel.unprivileged_userns_clone=1 currently the preferred way, as I see a trend on desktop oriented distros to enable it by default via CONFIG_USER_NS_UNPRIVILEGED=y? Also why is TMPDIR unsecure var in glibc?

@refi64

This comment has been minimized.

Copy link
Contributor

commented Jul 1, 2019

It's cleared out because being able to override setuid's tmpdir means you can try to manipulate files in ways it's not expecting.

@philmmanjaro

This comment has been minimized.

Copy link

commented Jul 1, 2019

Setting --with-priv-mode=none in bubblewarp instead of --with-priv-mode=setuid might only work when the kernel supports unprivileged_userns_clone. Is that really the way to go? Should flatpaks not rather use bwrap --setenv instead if they need TMPDIR?

@anthraxx

This comment has been minimized.

Copy link

commented Jul 1, 2019

@wland32

This comment has been minimized.

Copy link

commented Jul 8, 2019

Anything new on this solution?
Arch just broke my setup due to the removal of suid to work around this issue and I would really like to see both bubblewrap and flatpak to work again on debian as well as archs linux-hardened kernel.

If there is anything I can do as a non developer please let me know. (Where is the tip jar?)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
6 participants
You can’t perform that action at this time.