no_proxy environment dropped when calling synaptic

Thanks for your bugreport.

The latest sudo does drops most environment variable for security reasons. I reassign this to sudo.

We'll probably have to patch env.c to include no_proxy in initial_keepenv_table.

I'll see if I can cook up a patch.

I'm using my own mirror in our firm... but it's unsuable because some app needs http_proxy variable... and there's no way to tell apt not use http_proxy variable...

Our last hope was no_proxy variable... it works well with apt which understant this useful variable... but not with sudo!

So having our own mirror server + keep http_proxy variable is impossible!

As a work around for those effected by this bug you can tell sudo to pass through the no_proxy environment variable by adding the following line to /etc/sudoers

Defaults env_keep="no_proxy http_proxy XAUTHORIZATION XAUTHORITY TZ PS2 PS1 PATH MAIL LS_COLORS KRB5CCNAME HOSTNAME HOME DISPLAY COLORS"

This will pass through all of the variables listed in the current keepenv_table as well as no_proxy. Other environment variables can be added as needed.

On Fri, 2009-11-20 at 13:39 +0000, Troy Astle wrote:
> As a work around for those effected by this bug you can tell sudo to
> pass through the no_proxy environment variable by adding the following
> line to /etc/sudoers

Or as an even better workaround, heck, no, solution,
update-manager/synaptic could just use libproxy and not have to worry
about parsing all those variables itself.

>Or as an even better workaround, heck, no, solution,
update-manager/synaptic could just use libproxy and not have to worry
about parsing all those variables itself.

Don't do that please... dpkg can call other tools like (wget) :> example when you install the flash player...
And all these tool doesn't use libproxy...

On Fri, 2009-11-20 at 14:08 +0000, Hubert FONGARNAND wrote:
> >Or as an even better workaround, heck, no, solution,
> update-manager/synaptic could just use libproxy and not have to worry
> about parsing all those variables itself.
>
>
> Don't do that please... dpkg can call other tools like (wget) :> example when you install the flash player...
> And all these tool doesn't use libproxy...

They should. Every tool doing the same processing (and many getting it
wrong) of proxy environment variables is just silly, wrong, error-prone
and a waste of time and effort that could be better spent making said
tools better in other areas.

Certainly, until they do use libproxy, allowances have to be made so
that such tools get the env. variables they need, but if every tool
waited until every other tool supported something before they do,
nothing would get done.

I don't know whether I want to see my wget using libproxy.

Anyway, I added the line mentioned in comment #4 to my /etc/sudoers (note, that putting that into /etc/sudoers.d/keepenv didn't work because #includedir /etc/sudoers.d is missing).
Now it works as pre-lucid, i.e. I can update my system using export http_proxy=college-firewall; sudo apt-get update, ...

should add https_proxy as well.

Affected with this bug as Apport crash reporter makes use of sudo and communicate via HTTPS.
When a system program crash, it can not report due to non-exported https_proxy and unavailable HTTPS here without dialing the proxy.

Passing these variables by default potentially allows a user to MITM the network connections of a process running as a different user and feed it untrusted input. This is not something that should be implemented in sudo.

Whatever.