Debian Bug report logs - #1043362
mw-mailsync: guard to check for logged in user is flawed

version graph

Package: mutt-wizard; Maintainer for mutt-wizard is Braulio Henrique Marques Souto <[email protected]>; Source for mutt-wizard is src:mutt-wizard (PTS, buildd, popcon).

Reported by: Jonathan Dowland <[email protected]>

Date: Wed, 9 Aug 2023 14:27:01 UTC

Severity: important

Found in version mutt-wizard/3.3.1-2

Reply or subscribe to this bug.

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to [email protected], Braulio Henrique Marques Souto <[email protected]>:
Bug#1043362; Package mutt-wizard. (Wed, 09 Aug 2023 14:27:03 GMT) (full text, mbox, link).

Acknowledgement sent to Jonathan Dowland <[email protected]>:
New Bug report received and forwarded. Copy sent to Braulio Henrique Marques Souto <[email protected]>. (Wed, 09 Aug 2023 14:27:03 GMT) (full text, mbox, link).

Message #5 received at [email protected] (full text, mbox, reply):

From: Jonathan Dowland <[email protected]>
To: Debian Bug Tracking System <[email protected]>
Subject: mw-mailsync: guard to check for logged in user is flawed
Date: Wed, 9 Aug 2023 15:22:58 +0100
Package: mutt-wizard
Version: 3.3.1-2
Severity: important

The following guard is used towards the top of mw-mailsync:

  pgrep -u "${USER:=$LOGNAME}" >/dev/null || { echo "$USER not logged in; sync will not run."; exit ;}

This is inadequate, because USER and LOGNAME might not be defined in the
running environment even if the user is logged in. For example, in a
container context:

  conf=/some/path/to/stick/muttwizard/conf/in
  podman run --rm -ti \
      --mount type=bind,ro=false,chown=true,src=$conf,dst=$HOME \
      mutt-wizard \
      neomutt

(where 'mutt-wizard' is the name of a debian:bookworm container
with mutt-wizard and its dependencies installed.)

Furthermore, the behaviour when this fails - ${USER:=$LOGNAME}
expands to the empty string, so the script invokes
"pgrep -u >/dev/null", which is at least benign and just dumps
the pgrep invocation output on the user's terminal.

(Why run mutt-wizard in a container? To mitigate against it not
isolating its own configuration from any pre-existing configuration
belonging to the user. See:
<https://github.com/LukeSmithxyz/mutt-wizard/issues/917>)





-- System Information:
Debian Release: 12.1
  APT prefers stable
  APT policy: (990, 'stable'), (500, 'oldstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 6.1.0-10-amd64 (SMP w/24 CPU threads; PREEMPT)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages mutt-wizard depends on:
ii  curl       7.88.1-10
ii  isync      1.4.4-5
ii  msmtp      1.8.23-1
ii  neomutt    20220429+dfsg1-4.1
ii  pass       1.7.4-6
ii  xdg-utils  1.1.3-4.1

Versions of packages mutt-wizard recommends:
ii  abook    0.6.1-2+b1
ii  cron     3.0pl1-162
ii  lynx     2.9.0dev.12-1
ii  notmuch  0.37-1+b1
ii  urlview  0.9-23.1

Versions of packages mutt-wizard suggests:
pn  links2   <none>
pn  mpop     <none>
ii  mpv      0.35.1-4
ii  w3m      0.5.3+git20230121-2
pn  zathura  <none>

-- no debconf information

-- 
👱🏻	Jonathan Dowland
✎	    [email protected]
🔗	https://jmtd.net

Send a report that this bug log contains spam.

Debian bug tracking system administrator <[email protected]>. Last modified: Tue May 13 05:11:48 2025; Machine Name: bembo

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.