1 (edited by muzso 2012-12-10 15:51:22)

Topic: Bug: install.sh.in and uninstaller.sh.in depend on $USER

Both install.sh.in and uninstaller.sh.in use /bin/sh and depend on the "$USER" variable being set, but this is not always the case. If you take a look at the man pages of sh (or even bash), you'll not find "$USER" among the variables provided by the shell.

In practise I've hit this bug on an Ubuntu 10.10 (Maverick) system which has Dash (0.5.5.1-7ubuntu1) symlinked to /bin/sh. I've executed the following commands to compile the mysecureshell from source (since the v1.30 binary package available from the official repo depends on various package versions from more recent Ubuntu distros):

apt-get source mysecureshell
apt-get build-dep mysecureshell
cd mysecureshell-1.30
debuild -uc -us -b

After the compilation succeeded and install.sh was invoked, I got the following error message:

###################################################################
                 Sorry 
WARNING: You must be root to continue installation !
###################################################################

The reason is the following check:

  if [ "$USER" != "root" ] ; then
  ...
  fi

This is wrong. Not even bashism since $USER is not provided by bash either.
A more correct approach is:

euid="`id -u`"
if [ "$euid" != "0" ] ; then
        echo ""
        echo "##################################################################
#"
        tmp=`MyGetLocale 'sorry'`
        echo "                  $tmp $euid"
        MyGetLocale 'Warning root ask'
        echo "###################################################################"
        echo ""
        exit 1
fi

The same problem is present both in install.sh.in and uninstaller.sh.in, but only the former affects the Ubuntu source package (as far as I can tell).

With this fix I could successfully compile and build the v1.30 package.

P.S.: you could hard code the path to /usr/bin/id in the above fix, but since the install.sh script is only invoked during installation (or package building), it's not that much of a security risk to rely on the "id" command that is found in the PATH.

Re: Bug: install.sh.in and uninstaller.sh.in depend on $USER

Hi,

Mhhh ok, thank you for the patch !
It's included for future version of MySecureShell big_smile

Re: Bug: install.sh.in and uninstaller.sh.in depend on $USER

Ok, thanks.
To be linguistically correct, I suggest one more small modification/rollback.

This line of my fix:

        echo "                  $tmp $euid"

should be rolled back to the original code:

        echo "                  $tmp $USER"

Reason: the original message looks pretty silly with an UID instead of the username.
Eg. "Sorry 1001"
:-)

A simple "Sorry" is a lot better. Any greeting with an UID in it sounds silly.
Eg. you could use something like this:
${USER:-${LOGNAME:-user with effective user ID of $euid}}

Which would translate to something like this: "Sorry user with effective user ID of 1001"
But it's still quite lame.
The best approach seems to be to simply print a "Sorry" if $USER is not defined. And the original code did just that.

So only apply the conditional check from my patch.

if [ "`id -u`" != "0" ] ; then
...
fi

Re: Bug: install.sh.in and uninstaller.sh.in depend on $USER

Correct smile