Merge pull request #1270 from maresb/patch-1

consideRatio · web-flow · commit cf5a7ab55638 · 2022-01-30T02:04:43.000+01:00
Prepend $CONDA_DIR/bin instead of appending
diff --git a/base-notebook/start.sh b/base-notebook/start.sh
@@ -150,8 +150,8 @@ if [ "$(id -u)" == 0 ] ; then
     # Update potentially outdated environment variables since image build
     export XDG_CACHE_HOME="/home/${NB_USER}/.cache"
 
-    # Add ${CONDA_DIR}/bin to sudo secure_path
-    sed -r "s#Defaults\s+secure_path\s*=\s*\"?([^\"]+)\"?#Defaults secure_path=\"\1:${CONDA_DIR}/bin\"#" /etc/sudoers | grep secure_path > /etc/sudoers.d/path
+    # Prepend ${CONDA_DIR}/bin to sudo secure_path
+    sed -r "s#Defaults\s+secure_path\s*=\s*\"?([^\"]+)\"?#Defaults secure_path=\"${CONDA_DIR}/bin:\1\"#" /etc/sudoers | grep secure_path > /etc/sudoers.d/path
 
     # Optionally grant passwordless sudo rights for the desired user
     if [[ "$GRANT_SUDO" == "1" || "$GRANT_SUDO" == "yes" ]]; then
@@ -168,6 +168,12 @@ if [ "$(id -u)" == 0 ] ; then
         PATH="${PATH}" \
         PYTHONPATH="${PYTHONPATH:-}" \
         "${cmd[@]}"
+        # Note on the purpose of "PATH=${PATH}":
+        #   In case "${cmd[@]}" is "bash", then PATH will be used by this bash shell.
+        #   However, PATH is irrelevant to how the above sudo command resolves the
+        #   path of "${cmd[@]}". Sudo's path resolution is done via the "secure_path"
+        #   variable set above in /etc/sudoers.d/path.
+
 
 # The container didn't start as the root user, so we will have to act as the
 # user we started as.
diff --git a/base-notebook/test/test_container_options.py b/base-notebook/test/test_container_options.py
@@ -306,3 +306,24 @@ def test_jupyter_env_vars_to_unset_as_root(
         **root_args,  # type: ignore
     )
     assert "I like bananas and stuff, and love to keep secrets!" in logs
+
+
+def test_secure_path(container: TrackedContainer, tmp_path: pathlib.Path) -> None:
+    """Make sure that the sudo command has conda's python (not system's) on path.
+    See <https://github.com/jupyter/docker-stacks/issues/1053>.
+    """
+    d = tmp_path / "data"
+    d.mkdir()
+    p = d / "wrong_python.sh"
+    p.write_text('#!/bin/bash\necho "Wrong python executable invoked!"')
+    p.chmod(0o755)
+
+    logs = container.run_and_wait(
+        timeout=5,
+        tty=True,
+        user="root",
+        volumes={p: {"bind": "/usr/bin/python", "mode": "ro"}},
+        command=["start.sh", "python", "--version"],
+    )
+    assert "Wrong python" not in logs
+    assert "Python" in logs
