I cannot set the following in login.conf > :setenv=MAIL=/var/mail/$,BLOCKSIZE=K,\ > HTTP_PROXY=http\c//194.145.60.1\c9400,\ > HTTPS_PROXY=http\c//194.145.60.1\c9400,\ > FTP_PROXY=ftp\c//194.145.60.1\c9400,\ > NO_PROXY="localhost,.siemens.net,.siemens.com,.siemens.de":\ because comma seperates the vars themselves. While fetch(1) and curl(1) also supports whitespace-delimited values, poudriere chokes on: https://github.com/freebsd/poudriere/issues/669 There must be some mechanism to escape commas just like semicolons.
Poudriere is effectively fine here with this syntax (no quotes needed): :setenv=MAIL=/var/mail/$,BLOCKSIZE=K,NO_PROXY=localhost .siemens.net .siemens.com .siemens.de:\
I cannot confirm this. Besides poudriere, it whould be possible in general to have commas in env values.
I think I have traced down the cause: cap_mkdb uses cgetnext() whose manpage says: > String capability values may contain any character. Non-printable ASCII > codes, new lines, and colons may be conveniently represented by the use > of escape sequences: > > ^X ('X' & 037) control-X > \b, \B (ASCII 010) backspace > \t, \T (ASCII 011) tab > \n, \N (ASCII 012) line feed (newline) > \f, \F (ASCII 014) form feed > \r, \R (ASCII 015) carriage return > \e, \E (ASCII 027) escape > \c, \C (:) colon > \\ (\) back slash > \^ (^) caret > \nnn (ASCII octal nnn) While I have tried to do \054, it is still not working because the setenv magic is performed with login_getcaplist() in > ./lib/libutil/login_class.c: const char **set_env = login_getcaplist(lc, "setenv", ","); So also the \054 is converted to comma, the subsequent call adds its own sematics to split the setenv capability with comma. So it would require something like \O which is used in login_class only and if ((np = substvar(p, pwd, hlen, pch, nlen)) != NULL) { setenv(*set_env, np, 1); free(np); } and np needs to be processed for \O to replace with a comma. If I understand ./lib/libc/gen/getcap.c correctly the blackslash is retained by "*mp++ = *(bp-1)" if the escape char is unknown.
Ok, on HEAD, I've got a change that, for that login.conf entry, gives me: 0: MAIL=/var/mail/$ 1: BLOCKSIZE=K 2: HTTP_PROXY=http://194.145.60.1:9400 3: HTTPS_PROXY=http://194.145.60.1:9400 4: FTP_PROXY=ftp://194.145.60.1:9400 5: NO_PROXY=localhost,.siemens.net,.siemens.com,.siemens.de as the output. Specifically, it treats a quoted string as a quoted string, and then removes the quotes. I'll create a review for it.
I created review D25368
Sean, thanks for the patch. I will try that next week and let you know!
I cannot unfortunately sign in into Phabricator: Fehler 401: disabled_client The OAuth client was disabled. I have tested your patch. Set up a jail from stable/12 with Poudriere applied patch, recompiled: > root@deblndw011x:/var/poudriere/jails/121-stable-amd64/usr/src > # jexec 121-stable-amd64-default env -i TERM=$TERM /usr/bin/login -fp root > Last login: Mon Jun 22 14:51:48 on pts/2 > FreeBSD ?.?.? (UNKNOWN) > > root@121-stable-amd64-default:~ # less /etc/login.conf > # login.conf - login class capabilities database. > # > ... > default:\ > :passwd_format=sha512:\ > :copyright=/etc/COPYRIGHT:\ > :welcome=/etc/motd:\ > :setenv=BLOCKSIZE=K,UNAME_r=12.1-STABLE,UNAME_v=FreeBSD 12.1-STABLE 1201518,OSVERSION=1201518,\ > LSCOLORS=gxfxcxdxbxegedabagacad,\ > CLICOLOR=YES,\ > EDITOR=vim,\ > LESS=-x4 -R -eFK,\ > NCURSES_NO_UTF8_ACS=1,\ > HTTP_PROXY=http\c//194.145.60.1\c9400,\ > HTTPS_PROXY=http\c//194.145.60.1\c9400,\ > FTP_PROXY=http\c//194.145.60.1\c9400,\ > NO_PROXY="localhost,.siemens.net,.siemens.com,.siemens.de":\ > :mail=/var/mail/$:\ > :path=/sbin /bin /usr/sbin /usr/bin /usr/local/sbin /usr/local/bin ~/bin:\ > :nologin=/var/run/nologin:\ > :cputime=unlimited:\ > :datasize=unlimited:\ > :stacksize=unlimited:\ > :memorylocked=64K:\ > :memoryuse=unlimited:\ > :filesize=unlimited:\ > :coredumpsize=unlimited:\ > :openfiles=unlimited:\ > :maxproc=unlimited:\ > :sbsize=unlimited:\ > :vmemoryuse=unlimited:\ > :swapuse=unlimited:\ > :pseudoterminals=unlimited:\ > :kqueues=unlimited:\ > :umtxp=unlimited:\ > :priority=0:\ > :ignoretime@:\ > :umask=022: > > root@121-stable-amd64-default:~ # env > USER=root > LOGNAME=root > HOME=/root > SHELL=/bin/csh > NO_PROXY=localhost,.siemens.net,.siemens.com,.siemens.de > FTP_PROXY=http://194.145.60.1:9400 > HTTPS_PROXY=http://194.145.60.1:9400 > HTTP_PROXY=http://194.145.60.1:9400 > NCURSES_NO_UTF8_ACS=1 > LESS=-x4 -R -eFK > EDITOR=vi > CLICOLOR=YES > LSCOLORS=gxfxcxdxbxegedabagacad > OSVERSION=1201518 > UNAME_v=FreeBSD 12.1-STABLE 1201518 > UNAME_r=12.1-STABLE > BLOCKSIZE=K > MAIL=/var/mail/root > PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin:/root/bin > TERM=xterm > HOSTTYPE=FreeBSD > VENDOR=amd > OSTYPE=FreeBSD > MACHTYPE=x86_64 > SHLVL=1 > PWD=/root > GROUP=wheel > HOST=121-stable-amd64-default > PAGER=less Works for me. It needs a manpage update to tell that quotes will help for commas or maybe other characters affecting parsing.
Can we merge this please? My issue with Python Requests has been rejected: https://github.com/psf/requests/pull/5465 although I have provided sufficient justification. koobs, can you help here?
Can someone sponsor this?
(In reply to Michael Osipov from comment #8) Not sure how I can help here
The PR needs to be updated (on me), reviewed (on others) and ideally tested. I'm not quite sure how to make an automated test for it, so I'm open to suggestions.
What I can offer is testing on 12-STABLE and 13-STABLE. @koobs. I added you because this is Python relevant. Although libcurl accepts comma and space (not documented) my PR has been rejected and py-requests is too important. At the end a core dev needs to at least review. I see no other reasonable way to set NO_PROXY in login.conf.
Sean, do you see a way to move this forward? My upstream patch has been rejected and the py-requests maintainer has also rejected my downstream patch: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=268169 I am stuck here between those. Merge window for 12.4 has been missed which means that my jails on RELEASE will never see it. At least my hosts could consume via STABLE and when I move in 2023H1 to 13 this will arrive on the jails as well.
Resource regarding no_proxy env var: https://about.gitlab.com/blog/2021/01/27/we-need-to-talk-no-proxy/
Works for me on 13-STABLE as well: root@deblndw013x1v:~ # uname -a FreeBSD deblndw013x1v.ad001.siemens.net 13.1-STABLE FreeBSD 13.1-STABLE #5 2c88fb783: Tue Jan 3 12:38:25 CET 2023 root@deblndw013x1v.ad001.siemens.net:/usr/obj/usr/src/amd64.amd64/sys/GENERIC amd64 root@deblndw013x1v:~ # env | grep PROXY NO_PROXY=localhost,.siemens.net,.siemens.com .siemens.de FTP_PROXY=http://de.coia.siemens.net:9400 HTTPS_PROXY=http://de.coia.siemens.net:9400 HTTP_PROXY=http://de.coia.siemens.net:9400
Let me take a look at my side of it again.
curl is going to remove support for spaces on NO_PROXY/no_proxy: https://github.com/curl/curl/pull/10215
Will this make into 13.2-RELEASE and 14.0-RELEASE?
I guess 13.2 has been missed, sadly. Sean, can you check again and apply your quality PR to all three major versions?
Another gentle ping because 14.0 freeze is approaching...
(In reply to Sean Eric Fagan from comment #16) @sef: Any updates?
So, I am currently in Ireland, and my development system is in Oregon; this makes it difficult to work on it. (Mainly, to *test* it.) That is the only reason I haven't worked on it yet.
Looks like you already committed the fix and forgot about it? :-) commit f32db406504ece1b28f43dc816736e081fe22826 Author: Sean Eric Fagan <sef@FreeBSD.org> AuthorDate: Sat Jan 14 10:37:31 2023 -0800 Commit: Sean Eric Fagan <sef@FreeBSD.org> CommitDate: Sat Jan 14 10:48:29 2023 -0800 Allow a comma-separated list in login class capabilities, by adding a version of strcspn that allows quoting.
I didn't do any MFCs, though.
I did cherry pick the commit Yuri has mentioned to stable/13 on a test host and did this in /etc/login.conf: > 30 HTTP_PROXY=http\c//de.coia.siemens.net\c9400,\ > 31 HTTPS_PROXY=http\c//de.coia.siemens.net\c9400,\ > 32 FTP_PROXY=http\c//de.coia.siemens.net\c9400,\ > 33 NO_PROXY='localhost,.siemens.net,.siemens.com,.siemens.de,.siemens.cloud',\ > 34 MAGIC="localhost,host\c8000\t\\\^sfa,\047value'",\ result: > # env | grep -e PROXY -e MAGIC > HTTP_PROXY=http://de.coia.siemens.net:9400 > NO_PROXY=localhost,.siemens.net,.siemens.com,.siemens.de,.siemens.cloud > MAGIC=localhost,host:8000 \^sfa,value > HTTPS_PROXY=http://de.coia.siemens.net:9400 > FTP_PROXY=http://de.coia.siemens.net:9400 I cannot complain it works for we as expected. curl picks up, so I expect everyone else (including py-requests) will do as well. Test system: > # uname -a > FreeBSD deblndw013x1v.ad001.siemens.net 13.2-STABLE FreeBSD 13.2-STABLE f0cb73450 GENERIC amd64 I will try stable/12 today or tomorrow.
Cherry picked to stable/12, works: > root@deblndw013x:~ > # uname -a > FreeBSD deblndw013x.ad001.siemens.net 12.4-STABLE FreeBSD 12.4-STABLE e7b8295e9 > GENERIC amd64 > root@deblndw013x:~ > # env | grep -e PROXY -e MAGIC > NO_PROXY=localhost,.siemens.net,.siemens.com,.siemens.de,.siemens.cloud > FTP_PROXY=http://de.coia.siemens.net:9400 > HTTPS_PROXY=http://de.coia.siemens.net:9400 > HTTP_PROXY=http://de.coia.siemens.net:9400 > MAGIC=localhost,host:8000 \^sfa,value Happily looking forward to this. All is now required to update docs for this feature. Thank you Sean!
A commit in branch stable/13 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=f122e552354e84f18b82d11e40c6f8f214ed8abc commit f122e552354e84f18b82d11e40c6f8f214ed8abc Author: Sean Eric Fagan <sef@FreeBSD.org> AuthorDate: 2023-01-14 18:37:31 +0000 Commit: Ed Maste <emaste@FreeBSD.org> CommitDate: 2023-06-13 21:28:54 +0000 Allow a comma-separated list in login class capabilities, by adding a version of strcspn that allows quoting. PR: 236204 Differential Revision: https://reviews.freebsd.org/D25368 (cherry picked from commit f32db406504ece1b28f43dc816736e081fe22826) lib/libutil/login_cap.c | 109 +++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 107 insertions(+), 2 deletions(-)
(In reply to Michael Osipov from comment #26) > All is now required to update docs for this feature. Which docs do you mean, login.conf(5) / others?
(In reply to commit-hook from comment #27) Can this also be applies to stable/12? It does here and would ease migration to 13 in the future.
(In reply to Ed Maste from comment #28) I exactly don't know, it could be getcap(3), but also login.conf(5), login_cap(3). At least a place where the user/admin can find it even through indirection.
(In reply to Michael Osipov from comment #29) > Can this also be applies to stable/12? Sure. There are no more releases to come in the 12.x series so I wasn't going to merge it to stable/12, but am happy to do so if it will benefit.
(In reply to Ed Maste from comment #31) For the meantime, absolutely. Consistency with the rest. Effort is minimal.
A commit in branch stable/12 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=ba129c57166057690be0e146aefd8b3636eced7d commit ba129c57166057690be0e146aefd8b3636eced7d Author: Sean Eric Fagan <sef@FreeBSD.org> AuthorDate: 2023-01-14 18:37:31 +0000 Commit: Ed Maste <emaste@FreeBSD.org> CommitDate: 2023-06-14 13:38:26 +0000 Allow a comma-separated list in login class capabilities, by adding a version of strcspn that allows quoting. PR: 236204 Differential Revision: https://reviews.freebsd.org/D25368 (cherry picked from commit f32db406504ece1b28f43dc816736e081fe22826) (cherry picked from commit f122e552354e84f18b82d11e40c6f8f214ed8abc) lib/libutil/login_cap.c | 109 +++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 107 insertions(+), 2 deletions(-)
Terrific Ed, thank you!
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=ab2f6ae8d1742f57552c37425e9cab8499d2d4ea commit ab2f6ae8d1742f57552c37425e9cab8499d2d4ea Author: Ed Maste <emaste@FreeBSD.org> AuthorDate: 2023-06-28 18:50:49 +0000 Commit: Ed Maste <emaste@FreeBSD.org> CommitDate: 2023-06-28 19:02:14 +0000 login.conf: document how to specify env var values with commas As of f32db406504e quotes may be used to specify login class capabilities that include commas. This is true in general but is particularly relevant for setenv, a comma-separated list of environment variables and values, so mention it there. PR: 236204 Sponsored by: The FreeBSD Foundation lib/libutil/login.conf.5 | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)
(In reply to commit-hook from comment #35) Thanks a million Ed! I guess this should be cherry-picked to 13-STABLE for the sake of completeness for 13.3-RELEASE.
A commit in branch stable/13 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=d6e837c7225e1e4853a186ed42dba183057704b3 commit d6e837c7225e1e4853a186ed42dba183057704b3 Author: Ed Maste <emaste@FreeBSD.org> AuthorDate: 2023-06-28 18:50:49 +0000 Commit: Ed Maste <emaste@FreeBSD.org> CommitDate: 2023-07-17 15:48:28 +0000 login.conf: document how to specify env var values with commas As of f32db406504e quotes may be used to specify login class capabilities that include commas. This is true in general but is particularly relevant for setenv, a comma-separated list of environment variables and values, so mention it there. PR: 236204 Sponsored by: The FreeBSD Foundation (cherry picked from commit ab2f6ae8d1742f57552c37425e9cab8499d2d4ea) lib/libutil/login.conf.5 | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)