Thursday, March 29, 2007

Apple's Mac 10.4.9 Update breaks CPAN access to Fink when using sudo

The short story: as a new security measure, the latest version of sudo strips out various environment variables pertaining to perl. If you have been using an older version of sudo on any *NIX (certainly if you're using Mac OS X) your old version of sudo did not behave this way. This may change the behavior of any scripts you run with sudo.

More explanation:

Apple's latest OS X update, Mac OS X 10.4.9 Combo Update, includes Security Update 2007-003.

If you have installed either of these updates, you have a new version of sudo, which will prevent CPAN (and any other perl script you run as root via sudo) from accessing any libraries you have installed with Fink. For that matter, this would apply to any custom installations into non-default directories, such as /usr/local/, possibly projects other than Fink are affected including GnuDarwin - I don't use any of the others so I'm not sure.

The real source of the problem (which will probably end up affecting users of many other operating systems and programs, not just Mac/Perl) is that the latest version of sudo has a new security check which stripping out all environment variables except a few. Apparently older versions of sudo have been doing this for a while (perhaps always, I'm not sure) but the latest change is that PERL5LIB, PERLLIB and PERL5OPT are now included amongst the variables that get stripped out.

I have my .profile loading the fink script that sets the PERL5LIB variable up for both my regular user and root (which is the way Fink is configured by default), but in spite of this (and even when I manually set PERL5LIB in .profile), my custom PERL5LIB does not get picked up when I run CPAN with sudo anymore.

The solution I found, is to edit my sudoers config and add the following:

Defaults env_delete-="PERLLIB PERL5LIB PERL5OPT"

Which "subtracts" those variable from sudo's list of vars to remove (this in effect "undoes" the latest security update with a configuration override. Consider carefully if you want to override it or not).

I tried adding:

Defaults env_keep+="PERLLIB PERL5LIB PERL5OPT"

( env_keep is in the sudoers manpage), but apparently env_keep doesn't work that way.

I'm sure that overall, sanitizing the environment variables for sudo is a good thing, but the unexpected change sure threw me for a loop when things suddenly started breaking.

This is a classic example of why you shouldn't install any updates of any kind, including security updates, on production servers, without first analyzing exactly what the update is going to change! :-)

1 comment:

JW said...

Update 2007-04-19: I should have pointed out that the version of sudo that introduces this new behaviour is version 1.6.8p12. You can find out which version of sudo you have installed with "sudo -V"