I just found what I believe is a high-risk bug with Installbuilder 8.2 on Ubuntu 10.04 Linux. It may or may not apply to other distros. Running an installer with the sudo command functions as expected. However, running the installer with the gksudo command and in a su terminal creates unexpected and risky results.

The sudo and gksudo commands create different root environments for the child installer. Test for yourself. Run the two and review the output files:

~$ sudo env > sudo.txt
~$ gksudo env > gksudo.txt
  • sudo: $HOME == /home/$SUDO_USER
  • gksudo: $HOME == /root
  • su: $HOME == /root

Installbuilder has an cross-platform variable ${user_home_directory}. It apparently reads the value of $HOME on Linux. Using this variable with gksudo, my installer placed files in the wrong place. I found the gksudo environment has the correct $SUDO_USER value. Therefore, I can construct /home/${env(SUDO_USER)} to reference the proper path.

Unfortunately, Installbuilder has other odd behavior under the gksudo environment. The function <addEnvironmentVariable> fails and does not set the environment variable under the gksudo environment.

After much troubleshooting and without a work-around, I added this check to my installer. It stop users if they use the wrong command:

<initializationActionList>
    <throwError>
        <text>This installer is incompatible with the 'gksudo' command and 'su' root terminal environments. Please restart the installer with the 'sudo' command.</text>
        <ruleList>
            <isTrue value="${installer_is_root_install}"/>
            <compareText>
                <logic>does_not_equal</logic>
                <text>${user_home_directory}</text>
                <value>/home/${env(SUDO_USER)}</value>
            </compareText>
        </ruleList>
    </throwError>
</initializationActionList>

I hope sharing this discovery helps others avoid corrupted installations.

asked 14 Jun '12, 12:25

tahoar's gravatar image

tahoar
201313236
accept rate: 42%


From the point of view of the installer (from the environment it gets), the user running the binary is root. If you need to retrieve the logged in user that runs the installer, you could try the below:

<!-- SUDO_USER is defined just when using sudo -->
 <setInstallerVariable name="username"
value="${env(SUDO_USER)}">
  <ruleList>
    <platformTest>
       <type>osx</type>
    </platformTest>
  </ruleList>
 </setInstallerVariable>
 <setInstallerVariable name="username"
value="${env(SUDO_USER)}">
   <ruleList>
      <platformTest>
        <type>linux</type>
      </platformTest>
   </ruleList>
 </setInstallerVariable>
 <setInstallerVariable name="username"
value="${system_username}">
  <ruleList>
   <!-- Accessing non-existent environment
variables result in an empty string -->
    <compareText text="${username}"
logic="equals" value=""/>
  </ruleList>
 </setInstallerVariable>
 <setInstallerVariableFromScriptOutput>
 <name>desktopDir</name>
 <exec>xdg-user-dir</exec>
 <execArgs></execArgs>
 <ruleList>
      <programTest>
          <condition>is_in_path</condition>
          <name>xdg-user-dir</name>
      </programTest>
 </ruleList>
 </setInstallerVariableFromScriptOutput>
 <setInstallerVariable name="homeDir" value="~${username}">
 <ruleList>
      <programTest>
          <condition>is_in_path</condition>
          <name>xdg-user-dir</name>
          <negate>1</negate>
      </programTest>
 </ruleList>
 </setInstallerVariable>

In any case, the above will still fail if the user launches the installer with 'su -'

link

answered 18 Jun '12, 11:30

juanjo's gravatar image

juanjo ♦♦
5.8k413
accept rate: 23%

Thank you. Note that your code will also fail if the user launches the installer with "gksudo" because it inherits the same environment as "su". My <throwerror> code above is one way to detect and block running with root privileges when "sudo" was not used.

(21 Jun '12, 23:17) tahoar
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Tags:

×73
×12

Asked: 14 Jun '12, 12:25

Seen: 2,279 times

Last updated: 21 Jun '12, 23:17