Jonathan Nieder <[email protected]> writes: > Colin Watson wrote:
>> --- a/policy.sgml >> +++ b/policy.sgml >> @@ -7449,8 +7449,8 @@ Reloading <var>description</var> configuration...done. >> <heading>Environment variables</heading> >> >> <p> >> - A program must not depend on environment variables to get >> - reasonable defaults. (That's because these environment >> + A program must not depend on its own custom environment variables >> + to get reasonable defaults. (That's because these environment >> variables would have to be set in a system-wide >> configuration file like <file>/etc/profile</file>, which is not >> supported by all shells.) > Thanks! With s/environment variables/environment variable settings/ to > make it clearer that this includes cases like > PATH=/opt/myprog/bin:$PATH, sounds good to me, for what its worth. [...] > Maybe dropping "its own" would take care of it. That would make: > A program must not depend on custom environment variable settings > to get reasonable defaults. (That's because ... Looking at this section, there are several issues. One is the issue addressed above, and I like Jonathan's wording for that. Another is the one Colin mentioned earlier: this only applies to programs installed in the system path. (I considered saying programs intended to be directly invoked by users, but I can imagine pointless arguments about /usr/sbin programs, so let's just go with that.) A third issue is that parts of that section are now out of date, since /etc/profile.d exists (but still shouldn't be used for this purpose). I propose the attached patch to address all of those issues. Seconds or further discussion? -- Russ Allbery ([email protected]) <http://www.eyrie.org/~eagle/>
>From a99c511daaa8fa165af8a64cc4dc4618258aad24 Mon Sep 17 00:00:00 2001 From: Russ Allbery <[email protected]> Date: Sat, 24 Dec 2011 10:10:56 -0800 Subject: [PATCH] Improve environment variable restrictions for programs The restrictions on not using environment variables refers to custom environment variables (not, say, PATH), and only applies to programs installed on the system PATH. Also update the wording to reflect that /etc/profile.d is now available, but still cannot be used for this purpose. Remove the paragraph explaining that /etc/profile is a base-files configuration file, since /etc/profile.d solves that problem and it's not the point. --- policy.sgml | 24 ++++++++++-------------- 1 files changed, 10 insertions(+), 14 deletions(-) diff --git a/policy.sgml b/policy.sgml index 4aeae36..39378f9 100644 --- a/policy.sgml +++ b/policy.sgml @@ -7450,11 +7450,14 @@ Reloading <var>description</var> configuration...done. <heading>Environment variables</heading> <p> - A program must not depend on environment variables to get - reasonable defaults. (That's because these environment - variables would have to be set in a system-wide - configuration file like <file>/etc/profile</file>, which is not - supported by all shells.) + Programs installed on the system PATH + (<file>/bin</file>, <file>/usr/bin</file>, <file>/sbin</file>, + <file>/usr/sbin</file>, or similar directories) must not depend + on custom environment variable settings to get reasonable + defaults. This is because such environment variables would have + to be set in a system-wide configuration file such as a file + in <file>/etc/profile.d</file>, which is not supported by all + shells. </p> <p> @@ -7464,8 +7467,8 @@ Reloading <var>description</var> configuration...done. variables are not present. If this cannot be done easily (e.g., if the source code of a non-free program is not available), the program must be replaced by a small - "wrapper" shell script which sets the environment variables - if they are not already defined, and calls the original program. + "wrapper" shell script that sets the environment variables + if they are not already defined and calls the original program. </p> <p> @@ -7478,13 +7481,6 @@ export BAR exec /usr/lib/foo/foo "$@" </example> </p> - - <p> - Furthermore, as <file>/etc/profile</file> is a configuration - file of the <prgn>base-files</prgn> package, other packages must - not put any environment variables or other commands into that - file. - </p> </sect> <sect id="doc-base"> -- 1.7.7.3
