Open vx-sec opened 1 month ago
To be certain, is this only applicable if you try to update manually via sudo pacman -Syu
from the terminal emulator?
qubes-vm-update --targets archlinux --force-update -v
should work?
GUI updater should work?
sudo -i
and them pacman -Syu
should work?
p.s. This is still a bug. But most users would face it when trying sudo pacman -Sy packages
to install packages rather than during updates.
PR Submitted
Review priority: medium
Qubes OS release
R4.2
Brief summary
Archlinux upstream decided to include secure_path by default in sudoers. It's a problem for us because we use set
/run/qubes/bin/pacman
in PATH so ourpacman
with set tinyproxy runs. The new update prevents Archlinux from updating by preventing PATH from being propagated duringsudo pacman -Syu
https://gitlab.archlinux.org/archlinux/packaging/packages/sudo/-/commit/e5e504db273b7b0a3990da6a8acf9d515d654ec6
Steps to reproduce
Update an Archlinux template so that it gets
sudo 1.9.15.p5-2
. Trysudo pacman -Syu
again.Expected behavior
The system updates.
Actual behavior
The system fails to upgrade because the
/usr/bin/pacman
is used, preventing it from using our updates proxy.