From e25597983d5ccdd144d823f9074fb5166ef68227 Mon Sep 17 00:00:00 2001 From: Ryan Date: Fri, 28 Aug 2020 10:45:06 -0600 Subject: [PATCH] fix: don't pass all environment variables through sshd (#1186) The HOME variable was always set to / for non-root shells, when sshd should be setting it. While we are at it, we might as well filter out several other environment variables which I think ought not to be passed in this way at all. --- master/static/srv/shell-entrypoint.sh | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/master/static/srv/shell-entrypoint.sh b/master/static/srv/shell-entrypoint.sh index f9171aeff87..806f95f690d 100755 --- a/master/static/srv/shell-entrypoint.sh +++ b/master/static/srv/shell-entrypoint.sh @@ -13,16 +13,21 @@ python3.6 -m pip install --user /opt/determined/wheels/determined*.whl # Prepend each key in authorized_keys with a set of environment="KEY=VALUE" # options to inject the entire docker environment into the eventual ssh # session via an options in the authorized keys file. See syntax described in -# `man 8 sshd`. Normal ssh mechanisms for overriding variables as part of the -# protocol (like TERM or LANG) will take precedence, as will normal mechanisms -# like a ~/.bashrc. The purpose of this is to honor the environment variable +# `man 8 sshd`. The purpose of this is to honor the environment variable # settings as they are set for experiment or notebook configs, while still # allowing customizations via normal ssh mechanisms. # +# Not all variables should be overwritten this way; the HOME variable should be +# set by ssh, and the TERM, LANG, and LC_* variables should be passed in from +# the client. +# +# Normal mechanisms like a ~/.bashrc will override these variables. +# # After openssh 8+ is the only version of openssh supported (that is, after we # only support ubuntu >= 20.04), we can use the more obvious SetEnv option and # skip this awkwardness. -vars="$(env | sed -e 's/=.*//')" +blacklist="^(_|HOME|TERM|LANG|LC_.*)" +vars="$(env | sed -E -e "s/=.*//; /$blacklist/d")" options="$( for var in $vars ; do # Note that the syntax ${!var} is for a double dereference.