clean up system/per-user proxy handling

Bug #432631 reported by DSHR
28
This bug affects 3 people
Affects Status Importance Assigned to Milestone
Ubuntu Translations
Fix Released
Undecided
Unassigned
apt (Ubuntu)
Fix Released
High
Michael Vogt
Lucid
Fix Released
High
Michael Vogt
gnome-control-center (Ubuntu)
Fix Released
Medium
Martin Pitt
Lucid
Fix Released
Medium
Martin Pitt
sudo (Ubuntu)
Fix Released
Medium
Martin Pitt
Lucid
Fix Released
Medium
Martin Pitt

Bug Description

Binary package hint: sudo

It is possibly a good idea to preserve the http_proxy environment variable during sudo.
If http_proxy is preserved, no_proxy, https_proxy and ftp_proxy should be preserved too. Not doing so leads to an unusable variable state after sudo -i. Apt-get for example does not work correctly after setting the proxy in gnome with a list of internal hosts to ignore (10.0.0.0/8 and 192.168.0.0/16).

Can be fixed easily with the attached patch.

ProblemType: Bug
Architecture: i386
Date: Fri Sep 18 19:03:07 2009
DistroRelease: Ubuntu 9.10
Package: sudo 1.7.0-1ubuntu2
ProcEnviron:
 SHELL=/bin/bash
 PATH=(custom, user)
 LANG=de_DE.UTF-8
 LANGUAGE=de_DE.UTF-8
ProcVersionSignature: Ubuntu 2.6.31-10.34-generic
SourcePackage: sudo
Uname: Linux 2.6.31-10-generic i686

Revision history for this message
DSHR (s-heuer) wrote :
Revision history for this message
Hubert FONGARNAND (hfongarnand) wrote :

you can tweak default sudoers

and add

Defaults env_keep+="no_proxy"

Revision history for this message
DSHR (s-heuer) wrote :

I'm currently using on our company intranet:

Defaults env_reset
Defaults env_keep -= "http_proxy https_proxy no_proxy ftp_proxy"

and use /etc/apt/apt.conf.d/19apt-cacher-ng like this

$ sudo cat /etc/apt/apt.conf.d/19apt-cacher-ng
Acquire::http { Proxy "http://10.176.8.59:3142"; };

to make sure that the user using an http proxy or not is not able to influence the desired system behaviour
(using an APT-Cacher-NG on the campus LAN).

The bug is about the mixed up configuration ...

Jonathan Davies (jpds)
Changed in sudo (Ubuntu):
status: New → Confirmed
importance: Undecided → Wishlist
Revision history for this message
Torsten Spindler (tspindler) wrote :
Revision history for this message
Martin Pitt (pitti) wrote :

Michael,

the http_proxy preservation was added to sudo a couple of releases back, as a hideous hack. Admittedly we should preserve all or none of those, so the patch makes sense if we still need $http_proxy through sudo. However, I'd much rather see this disappear entirely again than piling up more and more of those.

Doesn't the installer allow you to configure an apt proxy system wide nowadays? Could we just drop the $http_proxy hack from sudo, to fix this in a much cleaner fashion? Right now, this patch makes our sudo incompatible with Debian's, upstream's, and anyone else's.

Thanks!

summary: - sudo fails to preserve no_proxy env var
+ sudo only preserves some, but not all proxy env vars
Changed in sudo (Ubuntu):
importance: Wishlist → Medium
Revision history for this message
Martin Pitt (pitti) wrote : Re: sudo only preserves some, but not all proxy env vars

The patch was (rightfully) rejected upstream, for the record.

Revision history for this message
Martin Pitt (pitti) wrote :

This was just discussed in #ubuntu-devel. That was the plan:

 * Drop the gconfery from apt's daily cron job

 * Move the gconfery to apt's postinst, to set the proxy during upgrade to lucid, once. This means that we can entirely drop all hacks from lucid+1 on.

 * Drop the hack from sudo, so that it's back to upstream behaviour.

 * Change the wording in control-center to also point out that "Apply system wide" is necessary for package installation, if the proxy makes sense in a system wide context.

Changed in sudo (Ubuntu):
assignee: nobody → Martin Pitt (pitti)
status: Confirmed → In Progress
Changed in apt (Ubuntu):
status: New → Triaged
assignee: nobody → Martin Pitt (pitti)
Changed in gnome-control-center (Ubuntu):
status: New → Triaged
Changed in apt (Ubuntu):
importance: Undecided → High
assignee: Martin Pitt (pitti) → Michael Vogt (mvo)
Changed in gnome-control-center (Ubuntu):
assignee: nobody → Canonical Desktop Team (canonical-desktop-team)
summary: - sudo only preserves some, but not all proxy env vars
+ clean up system/per-user proxy handling
Changed in sudo (Ubuntu):
status: In Progress → Triaged
Changed in apt (Ubuntu Lucid):
milestone: none → ubuntu-10.04-beta-1
Changed in gnome-control-center (Ubuntu Lucid):
milestone: none → ubuntu-10.04-beta-1
Changed in sudo (Ubuntu Lucid):
milestone: none → ubuntu-10.04-beta-1
Changed in sudo:
importance: Unknown → Undecided
status: Unknown → New
affects: sudo → null
Martin Pitt (pitti)
Changed in null:
status: New → Invalid
Revision history for this message
Michael Vogt (mvo) wrote :

I would say we should also

 * add check in control center so that it warns if you are admin user and change the settings but do not apply system wide

Revision history for this message
Colin Watson (cjwatson) wrote :

Does it still make sense to do this for Lucid? There are lots of interesting warts here: for example, it's important to make sure that it's possible to set the proxy in control-center in a live session and have that apply to the installation, since there's no other way to set a proxy during installation at the moment. Would it be better to accept the patch to limp along with the existing approach for Lucid, and clean up next time round?

Revision history for this message
Michael Vogt (mvo) wrote :

I added code now to the apt postinst to write the http proxy out once (and only once). The suport for looking into gconf is removed from the daily cron job. The user and/or gnome-control-center need to make sure to update the global settings now and provide a UI that makes it clear if there are inconsistencies between the user settings and the system settings.

Changed in apt (Ubuntu Lucid):
status: Triaged → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apt - 0.7.25.3ubuntu2

---------------
apt (0.7.25.3ubuntu2) lucid; urgency=low

  [ Michael Vogt ]
  * abicheck/
    - add new abitest tester using the ABI Compliance Checker from
      http://ispras.linuxfoundation.org/index.php/ABI_compliance_checker
  * debian/apt.conf.autoremove:
    - add "oldlibs" to the APT::Never-MarkAuto-Sections as its used
      for transitional packages
  * apt-pkg/deb/dpkgpm.cc:
    - fix backgrounding when dpkg runs (closes: #486222)
  * cmdline/apt-mark:
    - show error on incorrect aguments (LP: #517917), thanks to
      Torsten Spindler
  * cmdline/apt-get.cc:
    - if apt-get source foo=version or foo/distro can not be found,
      error out (LP: #502641)
  * apt-pkg/indexfile.cc:
    - deal correctly with three letter langcodes (LP: #391409)
  * debian/apt.cron.daily:
    - do not look into admin users gconf anymore for the http proxy
      the user now needs to use the "Apply system-wide" UI in the
      gnome-control-center to set it
  * debian/apt.postinst:
    - add set_apt_proxy_from_gconf() and run that once on upgrade if
      there is no proxy configured already system-wide (LP: #432631)
      From that point on gnome-control-center will have to warn if
      the user makes changes to the proxy settings and does not apply
      them system wide

  [ Robert Collins ]
  * Change the package index Info methods to allow apt-cache policy to be
    useful when using several different archives on the same host.
    (Closes: #329814, LP: #22354)
 -- Michael Vogt <email address hidden> Fri, 12 Mar 2010 23:10:52 +0100

Changed in apt (Ubuntu Lucid):
status: Fix Committed → Fix Released
Steve Langasek (vorlon)
Changed in gnome-control-center (Ubuntu Lucid):
milestone: ubuntu-10.04-beta-1 → ubuntu-10.04-beta-2
Changed in sudo (Ubuntu Lucid):
milestone: ubuntu-10.04-beta-1 → ubuntu-10.04-beta-2
Revision history for this message
Steve Langasek (vorlon) wrote :

Are the other two package tasks still targets for lucid?

Revision history for this message
Martin Pitt (pitti) wrote :

That's still on our radar, yes. The sudo change is trivial (revert a small patch to keep the environment), and it is actually ready to be uploaded, now that the apt fix is done. I'll do it ASAP.

Changed in sudo (Ubuntu Lucid):
status: Triaged → In Progress
Changed in gnome-control-center (Ubuntu Lucid):
importance: Undecided → Medium
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package sudo - 1.7.2p1-1ubuntu4

---------------
sudo (1.7.2p1-1ubuntu4) lucid; urgency=low

  * env.c: Revert addition of "http_proxy" again. This was an Ubuntu specific
    EBW hack, caused inconsistencies with other proxy variables (such as
    https_proxy and ftp_proxy), made sudo incompatible to upstream
    behaviour/documentation. This is solved in a much better way in apt itself
    and gnome-network-properties now. (LP: #432631)
 -- Martin Pitt <email address hidden> Fri, 26 Mar 2010 18:48:18 +0100

Changed in sudo (Ubuntu Lucid):
status: In Progress → Fix Released
Martin Pitt (pitti)
Changed in gnome-control-center (Ubuntu Lucid):
status: Triaged → In Progress
assignee: Canonical Desktop Team (canonical-desktop-team) → Martin Pitt (pitti)
Revision history for this message
Martin Pitt (pitti) wrote :

For the control-center check I need to introduce one new string. When you close the proxy window, and system settings differ from user settings, and the user is an admin, you will get an additional question now:

  http://people.canonical.com/~pitti/tmp/proxy.png

The "Apply system wide..." button is already translated (in the main window), but the message box dialog text is new.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package gnome-control-center - 1:2.29.92-0ubuntu4

---------------
gnome-control-center (1:2.29.92-0ubuntu4) lucid; urgency=low

  * 50_ubuntu_systemwide_prefs.patch: If the user has different proxy settings
    than the system, and is an admin, ask whether to apply the settings system
    wide for package management. (LP: #432631)
  * 50_ubuntu_systemwide_prefs.patch: Drop unused connection to session D-Bus,
    and two unused variables.
  * 50_ubuntu_systemwide_prefs.patch: Fix two format string errors.
 -- Martin Pitt <email address hidden> Mon, 29 Mar 2010 17:19:35 +0200

Changed in gnome-control-center (Ubuntu Lucid):
status: In Progress → Fix Released
David Planella (dpm)
affects: null → ubuntu-translations
Changed in ubuntu-translations:
status: Invalid → New
Revision history for this message
JPM (jpm) wrote :

My current versions:
gnome-control-center 1:2.30.1-0ubuntu1
apt 0.7.25.3ubuntu7
sudo 1.7.2p1-1ubuntu5

Still getting the same errors as described with wget/apt etc. I am using 10.04 updated fully with the main repo's.

This is quite an urgent bug as everybody on our university's campus need to use the proxy to access the internet.

JPM (jpm)
Changed in apt (Ubuntu Lucid):
status: Fix Released → New
Revision history for this message
JPM (jpm) wrote :

Symptoms is the same as Bug #534225.

Revision history for this message
Martin Pitt (pitti) wrote :

Problems with wget are certainly not a bug in apt, and the cronjob that was changed in apt is not that "user visible". JPM, please describe exactly which problem do you see.

Changed in apt (Ubuntu Lucid):
status: New → Fix Released
Revision history for this message
David Planella (dpm) wrote :
Changed in ubuntu-translations:
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.