search

QubesOS / qubes-issues

The Qubes OS Project issue tracker
https://www.qubes-os.org/doc/issue-tracking/
532 stars 46 forks source link

Recent update to upstream sudo broke Archlinux template updates #9395

Open vx-sec opened 1 month ago

vx-sec commented 1 month ago

Qubes OS release

R4.2

Brief summary

Archlinux upstream decided to include secure_path by default in sudoers. It's a problem for us because we use set /run/qubes/bin/pacman in PATH so our pacman with set tinyproxy runs. The new update prevents Archlinux from updating by preventing PATH from being propagated during sudo pacman -Syu

https://gitlab.archlinux.org/archlinux/packaging/packages/sudo/-/commit/e5e504db273b7b0a3990da6a8acf9d515d654ec6

Steps to reproduce

Update an Archlinux template so that it gets sudo 1.9.15.p5-2. Try sudo pacman -Syu again.

Expected behavior

The system updates.

Actual behavior

The system fails to upgrade because the /usr/bin/pacman is used, preventing it from using our updates proxy.

alimirjamali commented 1 month ago

To be certain, is this only applicable if you try to update manually via sudo pacman -Syu from the terminal emulator?

qubes-vm-update --targets archlinux --force-update -v should work? GUI updater should work? sudo -i and them pacman -Syu should work?

p.s. This is still a bug. But most users would face it when trying sudo pacman -Sy packages to install packages rather than during updates.

alimirjamali commented 4 weeks ago

PR Submitted

Review priority: medium