[apparmor] aa-notify still broken :-(

Jamie Strandboge jamie at canonical.com
Sat Sep 24 12:51:17 UTC 2011 

On Sat, 2011-09-24 at 13:52 +0200, Christian Boltz wrote:
> Hello,
> 
> Am Samstag, 24. September 2011 schrieb John Johansen:
> > On 09/23/2011 04:01 PM, Christian Boltz wrote:
> > > After a long debugging session with John on IRC I found out that
> > > sudo on openSUSE resets or deletes too many environment variables.
> > > It turned out that $HOME and $DISPLAY need to be set to the
> > > correct value - otherwise $notify_exe can't connect to DBUS to
> > > display the message.
> > > 
> > > Getting the correct $HOME is easy.
> > > 
> > > $DISPLAY is a different beast - if sudo unsets it, the best thing I
> > > can do is to hardcode it to ":0" which should fit most systems.
> > > I'm open for better ideas, but please ACK my patch before - it
> > > makes the situation much better compared to the current aa-notify
> > > ;-)
>  
> > So I am not very happy with setting the display with a guess but the
> > best I can come up with is either using a flag, but there is no
> > point to doing that when you can do
> >   sudo DISPLAY="$DISPLAY" aa-notify -p
> 
> Maybe a flag (and/or an option in the config file) would still be better 
> than "sudo DISPLAY=...". I'm not too familiar with sudo, but I'd guess 
> that you can limit what a user can hand over as environment variables. 
> Having an option for aa-notify might be more flexible regarding sudo.
> (If I'm wrong about the restrictions in sudo, forget this note ;-)
> 
> > I'm not sure setting DISPLAY = :0 is better than documenting the sudo
> > case and that DISPLAY with need to be set.
> 
> The point is that setting DISPLAY=:0 will fix the issue for (I'd guess) 
> 99% of the users. That makes it a good default IMHO.
> 
> Documentation is of course needed, and maybe even a warning at startup 
> (if -p is given) saying
>     Environment variable $DISPLAY not set - falling back to default :0
> 
> That said: I also don't really like the solution with the hardcoded 
> default of :0, but it's the least bad (!= best) solution I can imagine.
> 
> > So Ack on the setting of HOME, and hold off on DISPLAY for the moment
> > anyways.  I would like to hear more of what others have to say on
> > that part
> 
> OK, I commited the HOME part and a TODO note about $DISPLAY.

I didn't get a chance to comment on this. Setting DISPLAY to the default
of ':0' feels wrong to me too. I don't have an alternative at this time.

As for HOME, I think putting it in send_message is the wrong place.
While it is guaranteed to always be up to date, I don't think that
people are changing their HOME all that often and I think all the hits
on an LDAP database for each message is too much. I think that something
like the attached patch (against current trunk) would be better
(untested).

-- 
Jamie Strandboge             | http://www.canonical.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: aa-notify-home-lookups.patch
Type: text/x-patch
Size: 1771 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20110924/e852fe8b/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20110924/e852fe8b/attachment.pgp>

More information about the AppArmor mailing list