Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

`sudo` `secure_path` overrides PATH modified by Use {tool} Version tasks #1092

Open
smurawski opened this issue Jul 17, 2019 · 3 comments

Comments

@smurawski
Copy link
Member

commented Jul 17, 2019

Describe the bug

On a hosted linux agent:

When using a tool version selector task, like "Use Ruby Version" with addToPath, the ruby command is symlinked to /usr/bin/ruby and /opt/hostedtoolcache/Ruby/2.5.5/x64/bin is added to the path.

This makes the resulting path /opt/hostedtoolcache/Ruby/2.5.5/x64/bin:/usr/local/cargo/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin

When one would sudo as part of the task, the path is overwritten by the secure_path default in /etc/sudoers or configuration files under /etc/sudoers.d.

This resets the path to /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin

While the ruby command is still available while using sudo, gem, bundle, rake and other commands that are installed to /opt/hostedtoolcache/Ruby/2.5.5/x64/bin are unavailable which greatly limits the usability of the selected tool.

Expected behavior

I expect that the tool version I selected will behave similarly when using sudo or not. I expect the libraries and tools that are installed to that toolchain's path will be available when using sudo.

Actual behavior

While ruby is available, none of the libraries or tools installed to the bin directory of the selected runtime are available.

pool:
  vmImage: 'ubuntu-16.04'
steps:
  - task: UseRubyVersion@0
    inputs:
      versionSpec: 2.5.5
      addToPath: true
  - script: |
      echo "ruby version:"
      ruby --version
      echo "gem version:"
      gem --version
    displayName: Show Ruby Version
  - script: |
      echo "ruby version:"
      sudo -E ruby --version
      echo "gem version:"
      sudo -E gem --version
    displayName: Sudo Show Ruby Version

Image impacted

ubuntu

@smurawski

This comment has been minimized.

Copy link
Member Author

commented Jul 17, 2019

A possible resolution would be to add the vsts user's group to an exempted group in the /etc/sudoers configuration

Default exempt_group=group_of_the_vsts_user_here
@smurawski

This comment has been minimized.

Copy link
Member Author

commented Jul 17, 2019

Possibly related to #185

@vtbassmatt

This comment has been minimized.

Copy link
Member

commented Jul 17, 2019

(Note, this isn't specific to Ruby. Python and other toolscache tools experience the same thing.)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.