Bug#1043362: mw-mailsync: guard to check for logged in user is flawed

Wed, 09 Aug 2023 07:27:19 -0700 

Package: mutt-wizard
Version: 3.3.1-2
Severity: important

The following guard is used towards the top of mw-mailsync:

  pgrep -u "${USER:=$LOGNAME}" >/dev/null || { echo "$USER not logged in; sync will 
not run."; exit ;}

This is inadequate, because USER and LOGNAME might not be defined in the
running environment even if the user is logged in. For example, in a
container context:

  conf=/some/path/to/stick/muttwizard/conf/in
  podman run --rm -ti \
      --mount type=bind,ro=false,chown=true,src=$conf,dst=$HOME \
      mutt-wizard \
      neomutt

(where 'mutt-wizard' is the name of a debian:bookworm container
with mutt-wizard and its dependencies installed.)

Furthermore, the behaviour when this fails - ${USER:=$LOGNAME}
expands to the empty string, so the script invokes
"pgrep -u >/dev/null", which is at least benign and just dumps
the pgrep invocation output on the user's terminal.

(Why run mutt-wizard in a container? To mitigate against it not
isolating its own configuration from any pre-existing configuration
belonging to the user. See:
<https://github.com/LukeSmithxyz/mutt-wizard/issues/917>)





-- System Information:
Debian Release: 12.1
  APT prefers stable
  APT policy: (990, 'stable'), (500, 'oldstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 6.1.0-10-amd64 (SMP w/24 CPU threads; PREEMPT)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, 
TAINT_UNSIGNED_MODULE
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages mutt-wizard depends on:
ii  curl       7.88.1-10
ii  isync      1.4.4-5
ii  msmtp      1.8.23-1
ii  neomutt    20220429+dfsg1-4.1
ii  pass       1.7.4-6
ii  xdg-utils  1.1.3-4.1

Versions of packages mutt-wizard recommends:
ii  abook    0.6.1-2+b1
ii  cron     3.0pl1-162
ii  lynx     2.9.0dev.12-1
ii  notmuch  0.37-1+b1
ii  urlview  0.9-23.1

Versions of packages mutt-wizard suggests:
pn  links2   <none>
pn  mpop     <none>
ii  mpv      0.35.1-4
ii  w3m      0.5.3+git20230121-2
pn  zathura  <none>

-- no debconf information

--
👱🏻      Jonathan Dowland
✎           j...@dow.land
🔗       https://jmtd.net

Reply via email to