[packagekit] PATH missing in backends

Thomas Wood thomas at openedhand.com
Mon Jan 7 10:25:38 PST 2008


On Mon, 2008-01-07 at 18:12 +0000, Richard Hughes wrote:
> On Mon, 2008-01-07 at 14:03 +0000, Thomas Wood wrote:
> > > IIRC, all the env vars are unset by pk_spawn for security's sake.
> > I guess that sort of makes sense, but unfortunately I have just
> > discovered the reason Ipkg needs PATH is because it spawns wget to
> > download packages...
> 
> Well, in src/pk-main.c we do clearenv - we don't need to - but it
> prevents packagekitd being run differently when being run system
> activated and when being run manually.
> 
> In src/pk-spawn.c we do a g_spawn_async_with_pipes with no environment,
> which Ken is correct is for security. This is the sort of security from
> the "I don't know what is unsafe, so pass nothing" school, and can
> certainly be improved by someone who knows better than me.
> 
> It would certainly be valid to preserve PATH, but the question is why
> you would want to. Why goes wget rely on PATH?

It doesn't (as far as I know), but libipkg relies on PATH to find wget
to download packages.

As David suggested, it might be sensible to just setenv a new (trusted)
PATH value. Should packagekitd or the backend do this?

Regards,

Thomas

-- 
OpenedHand Ltd.

Unit R Homesdale Business Center / 216-218 Homesdale Road /
Bromley / BR1 2QZ / UK             Tel: +44 (0)20 8819 6559

Expert Open Source For Consumer Devices - http://o-hand.com/
------------------------------------------------------------




More information about the PackageKit mailing list