[apparmor] aa-notify still broken :-(

John Johansen john.johansen at canonical.com
Sat Sep 24 09:24:16 UTC 2011 

On 09/23/2011 04:01 PM, Christian Boltz wrote:
> Hello,
> 
> Am Freitag, 23. September 2011 schrieb Christian Boltz:
>> I just noticed that aa-notify is still (partly) broken :-(
>>
>> If I start it with sudo ("sudo /usr/sbin/aa-notify -p" or with
>> additional "-u cb"), I don't get any desktop notification :-(
>>
>> If I use "su" and then "aa-notify -p -u cb", it works.
> 
> After a long debugging session with John on IRC I found out that sudo on 
> openSUSE resets or deletes too many environment variables. It turned out 
> that $HOME and $DISPLAY need to be set to the correct value - otherwise
> $notify_exe can't connect to DBUS to display the message.
> 
> Getting the correct $HOME is easy.
> 
> $DISPLAY is a different beast - if sudo unsets it, the best thing I can
> do is to hardcode it to ":0" which should fit most systems.
> I'm open for better ideas, but please ACK my patch before - it makes the
> situation much better compared to the current aa-notify ;-)
> 
> 
> === modified file 'utils/aa-notify'
> --- utils/aa-notify     2011-08-17 14:48:12 +0000
> +++ utils/aa-notify     2011-09-23 22:54:46 +0000
> @@ -305,6 +305,12 @@
>          # notify-send needs $< to be the unprivileged user
>          $< = $>;
>  
> +        # we need correct values for $HOME and $DISPLAY environment variables, otherwise
> +        # $notify_exe won't be able to connect to DBUS to display the message
> +        $ENV{'HOME'} = (getpwuid $>)[7]; # homedir of the user
> +        if (!defined($ENV{'DISPLAY'})) { 
> +            $ENV{'DISPLAY'} = ':0'; # best-possible guess
> +        }
>          # 'system' uses execvp() so no shell metacharacters here.
>          # $notify_exe is an absolute path so execvp won't search PATH.
>          system "$notify_exe", "-i", "gtk-dialog-warning", "-u", "critical", "--", "AppArmor Message", "$msg";
> 
> 
> 
> Regards,
> 
> Christian Boltz

So I am not very happy with setting the display with a guess but the best I
can come up with is either using a flag, but there is no point to doing that
when you can do
  sudo DISPLAY="$DISPLAY" aa-notify -p

I'm not sure setting DISPLAY = :0 is better than documenting the sudo case
and that DISPLAY with need to be set.

So Ack on the setting of HOME, and hold off on DISPLAY for the moment
anyways.  I would like to hear more of what others have to say on that part

More information about the AppArmor mailing list