Bug in mdatp Ubuntu package's proxy support during installation #175
Description
As per the instructions, I'm setting HTTPS_PROXY in the environment when installing the mdatp package (version 101.25012.0000) on Ubuntu 24.04.
In the /var/log/microsoft/mdatp/install.log file I see:
set_proxy to HTTPS_PROXY="https://our.proxy.server:3128"
But later see errors:
runuser: failed to execute HTTPS_PROXY="https://our.proxy.server:3128": No such file or directory
The problem is this block, and a few similar, of code in postinst:
if command -v runuser > /dev/null; then
# shellcheck disable=SC2154
runuser -u mdatp -- $set_proxy curl --cacert "$cert_file" -s -S -d "$request" -X POST --max-time 5 --connect-timeout 1 "$telemetry_url" &
else
sudo -u mdatp $set_proxy curl --cacert "$cert_file" -s -S -d "$request" -X POST --max-time 5 --connect-timeout 1 "$telemetry_url" & #This is a fallback mechanism if runuser is not available. This could still fail if root password is expired. If such issues come later explore setpriv
fi
When using sudo it is happy for an environment variable to be set before the curl command, but runuser isn't:
# runuser -u mdatp -- HTTPS_PROXY=test curl --version
runuser: failed to execute HTTPS_PROXY=test: No such file or directory
# sudo -u mdatp HTTPS_PROXY=test curl --version
curl 8.5.0 (x86_64-pc-linux-gnu) libcurl/8.5.0 OpenSSL/3.0.13 zlib/1.3 brotli/1.1.0 zstd/1.5.5 libidn2/2.3.7 libpsl/0.21.2 (+libidn2/2.3.7) libssh/0.10.6/openssl/zlib nghttp2/1.59.0 librtmp/2.3 OpenLDAP/2.6.7
Release-Date: 2023-12-06, security patched: 8.5.0-2ubuntu10.6
Protocols: dict file ftp ftps gopher gophers http https imap imaps ldap ldaps mqtt pop3 pop3s rtmp rtsp scp sftp smb smbs smtp smtps telnet tftp
Features: alt-svc AsynchDNS brotli GSS-API HSTS HTTP2 HTTPS-proxy IDN IPv6 Kerberos Largefile libz NTLM PSL SPNEGO SSL threadsafe TLS-SRP UnixSockets zstd
My suggestion for a fix would be to either use the runuser flag for preserving the environment:
# HTTPS_PROXY=test runuser -w HTTPS_PROXY -u mdatp -- curl --version
curl 8.5.0 (x86_64-pc-linux-gnu) libcurl/8.5.0 OpenSSL/3.0.13 zlib/1.3 brotli/1.1.0 zstd/1.5.5 libidn2/2.3.7 libpsl/0.21.2 (+libidn2/2.3.7) libssh/0.10.6/openssl/zlib nghttp2/1.59.0 librtmp/2.3 OpenLDAP/2.6.7
Release-Date: 2023-12-06, security patched: 8.5.0-2ubuntu10.6
Protocols: dict file ftp ftps gopher gophers http https imap imaps ldap ldaps mqtt pop3 pop3s rtmp rtsp scp sftp smb smbs smtp smtps telnet tftp
Features: alt-svc AsynchDNS brotli GSS-API HSTS HTTP2 HTTPS-proxy IDN IPv6 Kerberos Largefile libz NTLM PSL SPNEGO SSL threadsafe TLS-SRP UnixSockets zstd
sudo also has --preserve-env=HTTPS_PROXY which would be a consistent way of doing it, if that helps:
# HTTPS_PROXY=test sudo --preserve-env=HTTPS_PROXY -u mdatp curl --version
curl 8.5.0 (x86_64-pc-linux-gnu) libcurl/8.5.0 OpenSSL/3.0.13 zlib/1.3 brotli/1.1.0 zstd/1.5.5 libidn2/2.3.7 libpsl/0.21.2 (+libidn2/2.3.7) libssh/0.10.6/openssl/zlib nghttp2/1.59.0 librtmp/2.3 OpenLDAP/2.6.7
Release-Date: 2023-12-06, security patched: 8.5.0-2ubuntu10.6
Protocols: dict file ftp ftps gopher gophers http https imap imaps ldap ldaps mqtt pop3 pop3s rtmp rtsp scp sftp smb smbs smtp smtps telnet tftp
Features: alt-svc AsynchDNS brotli GSS-API HSTS HTTP2 HTTPS-proxy IDN IPv6 Kerberos Largefile libz NTLM PSL SPNEGO SSL threadsafe TLS-SRP UnixSockets zstd
Or maybe just use the --proxy flag to curl instead, assuming $CURLTOOL works the same.