[apparmor] aa-notify still broken :-(
John Johansen
john.johansen at canonical.com
Mon Sep 26 23:36:50 UTC 2011
On 09/24/2011 04:52 AM, Christian Boltz wrote:
> Hello,
>
> Am Samstag, 24. September 2011 schrieb John Johansen:
>> On 09/23/2011 04:01 PM, Christian Boltz wrote:
>>> After a long debugging session with John on IRC I found out that
>>> sudo on openSUSE resets or deletes too many environment variables.
>>> It turned out that $HOME and $DISPLAY need to be set to the
>>> correct value - otherwise $notify_exe can't connect to DBUS to
>>> display the message.
>>>
>>> Getting the correct $HOME is easy.
>>>
>>> $DISPLAY is a different beast - if sudo unsets it, the best thing I
>>> can do is to hardcode it to ":0" which should fit most systems.
>>> I'm open for better ideas, but please ACK my patch before - it
>>> makes the situation much better compared to the current aa-notify
>>> ;-)
>
>> So I am not very happy with setting the display with a guess but the
>> best I can come up with is either using a flag, but there is no
>> point to doing that when you can do
>> sudo DISPLAY="$DISPLAY" aa-notify -p
>
> Maybe a flag (and/or an option in the config file) would still be better
> than "sudo DISPLAY=...". I'm not too familiar with sudo, but I'd guess
> that you can limit what a user can hand over as environment variables.
> Having an option for aa-notify might be more flexible regarding sudo.
> (If I'm wrong about the restrictions in sudo, forget this note ;-)
>
>> I'm not sure setting DISPLAY = :0 is better than documenting the sudo
>> case and that DISPLAY with need to be set.
>
> The point is that setting DISPLAY=:0 will fix the issue for (I'd guess)
> 99% of the users. That makes it a good default IMHO.
>
> Documentation is of course needed, and maybe even a warning at startup
> (if -p is given) saying
> Environment variable $DISPLAY not set - falling back to default :0
>
> That said: I also don't really like the solution with the hardcoded
> default of :0, but it's the least bad (!= best) solution I can imagine.
>
Christian,
After discussing this a bit I think the flag is a way to go.
More information about the AppArmor
mailing list