From bb9cb5d8c987d556730a40f72996c1732069e005 Mon Sep 17 00:00:00 2001
From: Erik Sundell <erik.i.sundell@gmail.com>
Date: Wed, 10 Nov 2021 01:21:22 +0100
Subject: [PATCH 1/4] Add comments about sudo and environment variables

---
 base-notebook/start.sh | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/base-notebook/start.sh b/base-notebook/start.sh
index b5a972ee..b7760b20 100755
--- a/base-notebook/start.sh
+++ b/base-notebook/start.sh
@@ -168,6 +168,30 @@ if [ "$(id -u)" == 0 ] ; then
         PATH="${PATH}" \
         PYTHONPATH="${PYTHONPATH:-}" \
         "${cmd[@]}"
+        # Notes on how we ensure that the environment that this container is started
+        # with is preserved (except vars listen in JUPYTER_ENV_VARS_TO_UNSET) when
+        # we transition from running as root to running as NB_USER.
+        #
+        # - We use `sudo` to execute the command as NB_USER. What then
+        #   happens to the environment will be determined by configuration in
+        #   /etc/sudoers and /etc/sudoers.d/* as well as flags we pass to the sudo
+        #   command. The behavior can be inspected with `sudo -V` run as root.
+        #
+        #   ref: `man sudo`    https://linux.die.net/man/8/sudo
+        #   ref: `man sudoers` https://www.sudo.ws/man/1.8.15/sudoers.man.html
+        #
+        # - We use the `--preserve-env` flag to pass through most environment
+        #   variables, but understand that exceptions are caused by the sudoers
+        #   configuration: `env_delete`, `env_check`, and `secure_path`.
+        #
+        # - We use the `--set-home` flag to set the HOME variable appropriatly.
+        #
+        # - We reduce the `env_delete` list of default variables to be deleted. It
+        #   has higher priority than the `--preserve-env` flag and `env_keep`
+        #   configuration.
+        #
+        # - We disable the `secure_path` which is set by default in /etc/sudoers as
+        #   it would override the PATH variable.
         # Note on the purpose of "PATH=${PATH}":
         #   In case "${cmd[@]}" is "bash", then PATH will be used by this bash shell.
         #   However, PATH is irrelevant to how the above sudo command resolves the

From d362887ad2df1789c80c9cc24d9da419f90de159 Mon Sep 17 00:00:00 2001
From: Ben Mares <services-git-throwaway1@tensorial.com>
Date: Wed, 2 Feb 2022 16:58:40 +0100
Subject: [PATCH 2/4] Update comments about sudo and environment vars

---
 base-notebook/start.sh | 22 +++++++++-------------
 1 file changed, 9 insertions(+), 13 deletions(-)

diff --git a/base-notebook/start.sh b/base-notebook/start.sh
index b7760b20..b89532f3 100755
--- a/base-notebook/start.sh
+++ b/base-notebook/start.sh
@@ -182,22 +182,18 @@ if [ "$(id -u)" == 0 ] ; then
         #
         # - We use the `--preserve-env` flag to pass through most environment
         #   variables, but understand that exceptions are caused by the sudoers
-        #   configuration: `env_delete`, `env_check`, and `secure_path`.
+        #   configuration: `env_delete` and `env_check`.
         #
-        # - We use the `--set-home` flag to set the HOME variable appropriatly.
+        # - We use the `--set-home` flag to set the HOME variable appropriately.
         #
-        # - We reduce the `env_delete` list of default variables to be deleted. It
-        #   has higher priority than the `--preserve-env` flag and `env_keep`
-        #   configuration.
+        # - To reduce the default list of variables deleted by sudo, we could have
+        #   used `env_delete` from /etc/sudoers. It has higher priority than the
+        #   `--preserve-env` flag and the `env_keep` configuration.
         #
-        # - We disable the `secure_path` which is set by default in /etc/sudoers as
-        #   it would override the PATH variable.
-        # Note on the purpose of "PATH=${PATH}":
-        #   In case "${cmd[@]}" is "bash", then PATH will be used by this bash shell.
-        #   However, PATH is irrelevant to how the above sudo command resolves the
-        #   path of "${cmd[@]}". Sudo's path resolution is done via the "secure_path"
-        #   variable set above in /etc/sudoers.d/path.
-
+        # - We preserve PATH and PYTHONPATH explicitly. Note however that PATH is
+        #   irrelevant to how the above sudo command resolves the path of `${cmd[@]}`.
+        #   Sudo uses the "secure_path" variable we modified above in
+        #   /etc/sudoers.d/path. (PATH is useful e.g. when `${cmd[@]}` is `bash`.)
 
 # The container didn't start as the root user, so we will have to act as the
 # user we started as.

From 8d51336cfd960e3beda522bed74247f40a20592b Mon Sep 17 00:00:00 2001
From: Ayaz Salikhov <mathbunnyru@users.noreply.github.com>
Date: Wed, 2 Feb 2022 19:23:53 +0300
Subject: [PATCH 3/4] Update base-notebook/start.sh

---
 base-notebook/start.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/base-notebook/start.sh b/base-notebook/start.sh
index b89532f3..eab3dc84 100755
--- a/base-notebook/start.sh
+++ b/base-notebook/start.sh
@@ -169,7 +169,7 @@ if [ "$(id -u)" == 0 ] ; then
         PYTHONPATH="${PYTHONPATH:-}" \
         "${cmd[@]}"
         # Notes on how we ensure that the environment that this container is started
-        # with is preserved (except vars listen in JUPYTER_ENV_VARS_TO_UNSET) when
+        # with is preserved (except vars listed in JUPYTER_ENV_VARS_TO_UNSET) when
         # we transition from running as root to running as NB_USER.
         #
         # - We use `sudo` to execute the command as NB_USER. What then

From c2b0311331607cdbe97c3641061d7267dc2677c5 Mon Sep 17 00:00:00 2001
From: Ben Mares <services-git-throwaway1@tensorial.com>
Date: Thu, 3 Feb 2022 19:11:33 +0100
Subject: [PATCH 4/4] Improve wording of comment

---
 base-notebook/start.sh | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/base-notebook/start.sh b/base-notebook/start.sh
index eab3dc84..05c10376 100755
--- a/base-notebook/start.sh
+++ b/base-notebook/start.sh
@@ -190,10 +190,11 @@ if [ "$(id -u)" == 0 ] ; then
         #   used `env_delete` from /etc/sudoers. It has higher priority than the
         #   `--preserve-env` flag and the `env_keep` configuration.
         #
-        # - We preserve PATH and PYTHONPATH explicitly. Note however that PATH is
-        #   irrelevant to how the above sudo command resolves the path of `${cmd[@]}`.
-        #   Sudo uses the "secure_path" variable we modified above in
-        #   /etc/sudoers.d/path. (PATH is useful e.g. when `${cmd[@]}` is `bash`.)
+        # - We preserve PATH and PYTHONPATH explicitly. Note however that sudo
+        #   resolves `${cmd[@]}` using the "secure_path" variable we modified
+        #   above in /etc/sudoers.d/path. Thus PATH is irrelevant to how the above
+        #   sudo command resolves the path of `${cmd[@]}`. The PATH will be relevant
+        #   for resolving paths of any subprocesses spawned by `${cmd[@]}`.
 
 # The container didn't start as the root user, so we will have to act as the
 # user we started as.