[apparmor] aa-notify still broken :-(

Christian Boltz apparmor at cboltz.de
Sat Sep 24 00:25:15 UTC 2011 

Hello,

Am Samstag, 24. September 2011 schrieb Seth Arnold:
> When I was on SuSE, undoing the env_reset option was always the
> second thing I fixed -- immediately after fixing sudo asking for the
> target user's password instead of the current user's password.

;-)

> If you almost never use sudo to start graphical programs you can
> instead use: ssh -X root at localhost aa-notify

Huh, are you really allowing root logins over ssh? I don't ;-)

And even if I prefer su over sudo, sudo is the better choice for 
aa-notify because it can be set to NOPASSWD. That's quite useful if you 
want aa-notify autostarted at login...

> But guessing on a DISPLAY feels very wrong to me. Keeping one that is
> correct feels so much more correct than guessing a replacement.

Looks like I should have commented on the patch a bit more in my 
previous mail ;-)  OK, I'll do it now.

If $DISPLAY was set before, it won't be modified.

The hardcoded :0 will only be used as a fallback/default if $DISPLAY is 
not set at all.

That said: I also don't really like the solution with a somewhat 
hardcoded $DISPLAY as default value, however it's much better than not 
setting it at all because not having $DISPLAY is guaranteed to break 
displaying the notifications.

In other words: we have to choose between
a) break aa-notify for all openSUSE users when using sudo because 
   $DISPLAY is not set (current code)
b) break aa-notify for openSUSE users who use sudo and need $DISPLAY
   set to something else than :0

I'd say b) sounds like the better solution - it fixes the problem for 
99% of the people. And the remaining 1% (those with $DISPLAY != :0) can 
still use
    sudo DISPLAY="$DISPLAY" aa-notify -p
and will get working notifications.


The hint about $DISPLAY and sudo possibly unsetting it should be added 
to the aa-notify documentation, but I'll leave that to someone else.


(I said most of this on IRC already, but having a permanent copy in the 
mailinglist archives won't hurt ;-)


Regards,

Christian Boltz
-- 
Eine Katze hat einen Schwanz mehr als keine Katze. Keine Katze hat
zwei Schwänze, also hat eine Katze drei Schwänze.
[Bernd Brodesser in suse-linux]

More information about the AppArmor mailing list