[Bug 284867] Re: too hard to use "sudo apt-get" behind a proxy with authentication

Steve Langasek steve.langasek at canonical.com
Mon Apr 16 00:15:28 UTC 2012 

*** This bug is a duplicate of bug 982684 ***
    https://bugs.launchpad.net/bugs/982684

** This bug has been marked a duplicate of bug 982684
   sudo doesn't apply global environment settings from /etc/environment

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to sudo in Ubuntu.
https://bugs.launchpad.net/bugs/284867

Title:
  too hard to use "sudo apt-get" behind a proxy with authentication

Status in “sudo” package in Ubuntu:
  New

Bug description:
  Binary package hint: sudo

  % lsb_release -rd
  Description:    Ubuntu 8.04.1
  Release:        8.04

  The configuration needed to get "sudo apt-get" working when behind a
  proxy with authentication is not trivial. Here are some ideas to
  enhance it.

  Here is my environment : I am on an enterprise network, behind a proxy
  requiring authentication for http. I want to access a repository
  server from the outside world.

  To use apt-get with the proxy, I configured the proxy with the GNOME
  proxy capplet. I set the proxy host to "proxy.myenterprise.com" and
  proxy port to "90" in the configuration tab, and a list of hosts to
  exclude in the advanced tab, like "localhost" and "*.myenterprise.com"
  in the list.

  When I open a terminal, the environment variable http_proxy is set to
  "http://proxy.myenterprise.com:90/" which is correct, but it is not
  enough to let me get some data from the outside with "sudo apt-get
  update". In fact the proxy refuses my request because authentication
  is required. To provide my authentication credentials, I need to
  manually set http_proxy to
  "http://username:password@proxy.myenterprise.com:90/". Then "sudo apt-
  get update" works.

  But I need a little more : we have a local mirror of the repository
  for the binary packages on our enterprise network (which is
  debmirror.myenterprise.com), but not for the source packages so we
  still use "archive.ubuntu.com" as repository.

  If I try to "sudo apt-get update", it will try to reach debmirror.myenterprise.com by using the proxy, but it won't work. I mentionned that I configured the GNOME proxy capplet to ignore host matching "localhost,*.myenterprise.com". That's why I have the $no_proxy environment variable set to "*.myenterprise.com". But "sudo apt-get update" still does not work the way it should. The reason it does not work are :
   * the environment variable $no_proxy is not preserved when calling sudo, in contrary to $http_proxy. To see it, run "sudo -V" as root: it gives a list of the environment variables that are checked/removed/preserved.
   * $no_proxy environment variable does not allow wildcards : it should rather be no_proxy="localhost,myenterprise.com"

  So to have the environment variable $no_proxy preserved when calling
  sudo, I have to add the following line in my sudoers file :

  Defaults        env_keep+="no_proxy"

  And to have some correct $http_proxy and $no_proxy variables, I have
  to define them in my .bashrc. When I do all this, it works like a
  charm: I can access to inside repositories, or outside repository. But
  to get it working, you need to know a lot of system things.

  So here are my ideas:
   * In the GNOME proxy capplet, in the advanced tab, have a checkbox "the proxy needs authentication" which allows to enter authentication credentials. This could be stored safely in the GNOME keyring. So they can be used to set $http_proxy to "http://username:password@proxyhost:port/".
   * sudo already preserve the $http_proxy environment variable (bug #194238 mentions it). I think it should also preserve the $no_proxy environment variable to ignore some hosts for the proxy.
   * the GNOME proxy capplet allows to enter some hosts to ignore, but it fails to translate them correctly in the $no_proxy environment variable. It needs a filter to remove wildcards and keep only valid hosts (for example, "192.168.*" cannot be in $no_proxy in the "192.168." form, but *.myenterprise.com can with the "myenterprise.com" form).

  I assigned this bug to sudo because from the 3 problems I exposed,
  modifying the sudoers file to preserve the $no_proxy variable is the
  only thing a normal user cannot do. But I could also have assigned
  this bug to the GNOME proxy capplet.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/sudo/+bug/284867/+subscriptions

More information about the foundations-bugs mailing list