>>> Compiling source in /var/tmp/portage/sys-devel/m4-1.4.14/work/m4-1.4.14 ... * econf: updating m4-1.4.14/build-aux/config.sub with /usr/share/gnuconfig/config.sub * econf: updating m4-1.4.14/build-aux/config.guess with /usr/share/gnuconfig/config.guess ./configure --prefix=/usr --build=x86_64-pc-linux-gnu --host=x86_64-pc-linux-gnu --mandir=/usr/share/man --infodir=/usr/share/info --datadir=/usr/share --sysconf dir=/etc --localstatedir=/var/lib --libdir=/usr/lib64 --enable-changeword ACCESS DENIED open_wr: /dev/urandom ACCESS DENIED open_wr: /dev/urandom [snip] F: open_wr S: deny P: /dev/urandom A: /dev/urandom R: /dev/urandom C: /bin/sh -c fail= failcom='exit 1'; \ for f in x $MAKEFLAGS; do \ case $f in \ *=* | --[!k]*);; \ *k*) failcom='fail=yes';; \ esac; \ done; \ dot_seen=no; \ target=`echo all-recursive | sed s/-recursive//`; \ list='. examples lib src doc checks tests'; for subdir in $list; do \ echo "Making $target in $subdir"; \ if test "$subdir" = "."; then \ dot_seen=yes; \ local_target="$target-am"; \ else \ local_target="$target"; \ fi; \ (CDPATH="${ZSH_VERSION+.}:" && cd $subdir && make $local_target) \ || eval $failcom; \ done; \ if test "$dot_seen" = "no"; then \ make "$target-am" || exit 1; \ fi; test -z "$fail" -------------------------------------------------------------------------------- >>> Failed to emerge sys-devel/m4-1.4.14 Portage 2.2_rc65 (default/linux/amd64/10.0/desktop, gcc-4.4.3, glibc-2.11-r1, 2.6.32-gentoo-r6 x86_64) ================================================================= System uname: Linux-2.6.32-gentoo-r6-x86_64-AMD_Phenom-tm-_9950_Quad-Core_Processor-with-gentoo-2.0.1 Timestamp of tree: Unknown ccache version 2.4 [disabled] app-shells/bash: 4.1_p2 dev-java/java-config: 2.1.10 dev-lang/python: 2.6.4-r1, 3.1.1-r1 dev-python/pycrypto: 2.1.0 dev-util/ccache: 2.4-r8 dev-util/cmake: 2.8.0-r2 sys-apps/baselayout: 2.0.1 sys-apps/openrc: 0.6.0-r1 sys-apps/sandbox: 2.2 sys-devel/autoconf: 2.13, 2.65 sys-devel/automake: 1.8.5-r4, 1.9.6-r3, 1.10.3, 1.11.1 sys-devel/binutils: 2.20-r1 sys-devel/gcc: 4.4.3 sys-devel/gcc-config: 1.4.1 sys-devel/libtool: 2.2.6b virtual/os-headers: 2.6.32 ACCEPT_KEYWORDS="amd64 ~amd64" ACCEPT_LICENSE="*" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-O2 -march=k8 -pipe -ggdb" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/X11/xkb /usr/share/config" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/eselect/postgresql /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c" CXXFLAGS="-O2 -march=k8 -pipe -ggdb" DISTDIR="/usr/portage/distfiles" FEATURES="assume-digests buildpkg collision-protect distlocks fixpackages news parallel-fetch preserve-libs protect-owned sandbox sfperms splitdebug strict unmerge-logs unmerge-orphans userfetch" GENTOO_MIRRORS="http://distfiles.gentoo.org" LDFLAGS="-Wl,-O1" MAKEOPTS="-j3" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/home/pal/code/gentoo-x86/" PORTDIR_OVERLAY="/usr/local/portage/layman/x11 /usr/local/portage/layman/qting-edge /usr/local/portage/layman/Spring /home/pal/code/kde" SYNC="rsync://rsync.de.gentoo.org/gentoo-portage" USE="3dnow 3dnowext X a52 aac aalib acl acpi alsa amd64 berkdb bluetooth branding bzip2 cairo cdio cdparanoia cdr cli consolekit cracklib crypt cups curl cxx dbus dga directfb dri dts dv dvd dvdr eds emboss encode evo extras fam firefox flac fortran ftp fts3 gdbm ggi gif gpm iconv ipv6 ithreads jack jpeg jpeg2k kde kpathsea ladspa lcms libnotify lzo mad md5sum mikmod mmx mmxext mng modules mp2 mp3 mp4 mpeg mudflap multilib musepack nas ncurses networkmanager nls nptl nptlonly objc ogg openal opengl openmp pam pcre pdf perl png pnm policykit ppds pppd python qt3support qt4 quicktime rar readline reflection rtc sasl sdl secure-delete semantic-desktop session slang speex spell spl sqlite sse sse2 ssl startup-notification svg sysfs tcpd tga theora thunar tiff truetype unicode usb v4l2 vorbis webkit x264 xml xorg xulrunner xv xvid xvmc zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="vga radeon" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LANG, LC_ALL, LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
Ok, I tracked this one down to a change I made yesterday, which makes pretty much all packages fail to emerge. I changed the /bin/sh symlink to /bin/mksh, which is app-shells/mksh Setting it back to /bin/bash "fixes" the build issues
We used to have a SANDBOX_PREDICT for /dev/random (not urandom) in portage, but it's been removed since bug 258684. I don't see a corresponding entry in /etc/sandbox.conf from sandbox-2.2 though. Maybe we should do both random and urandom?
dont write to /dev/urandom
This is actually the arc4random.c.1.14 source file. Writes to /dev/urandom are harmless, they’re denied if not root (sadly, except on Win32 and MirBSD, there is no defined way to add entropy to the pool as non-root) anyway, and if root, added into the pool in a way that doesn’t do harm. (I actually read the implementation of /dev/*random.) However, if you must prevent this by policy, remove the following lines from the arc4random.c.1.14 file: 370 int fd; 371 372 if ((fd = open(__randomdev, O_WRONLY)) != -1) { 373 if (write(fd, buf, len) < 4) 374 do_rd = 1; 375 close(fd); 376 } 377 return (do_rd || fd == -1 ? 0 : 1); Replace with: return (0); You should consider upgrading to arc4random.c.1.27 anyway (which would need the same patch).
Created attachment 237117 [details, diff] Patch for arc4random.c.1.14 Adding a patch for version 1.14 oof arc4random.c
I can verify that the attached patch works. What I did: 1.) emerge mksh-39c (from portage) 2.) Link /bin/sh to mksh 3.) emerge sys-devel/m4 => FAILS with messages "ACCESS DENIED open_wr: /dev/urandom" 4.) emerge mksh-39c-r1 (with patch) 5.) emerge sys-devel/m4 => WORKS without errors. Hanno, can you please include this patch into main tree? Thorsten, which improvements were made in arc4random.c.1.27 compared to 1.14?
Diff: https://www.mirbsd.org/cvs.cgi/contrib/code/Snippets/arc4random.c.diff?r1=1.14;r2=1.27 CVSweb: https://www.mirbsd.org/cvs.cgi/contrib/code/Snippets/arc4random.c
Hanno is not responding... Patrick, are you able to upload the attached patch to partage?
mksh R40 will not use arc4random at all any more (at least not on systems other than OpenBSD-derived ones), since it’s sometimes too expensive, e.g. on Debian/m68k, as a speed-up. These OSes do ASLR anyway, which we can use to seed $RANDOM, it was never intended for crypto anyway and is only 15 bit output and 32 bit internal wide as well. There’s no plan when R40 will come out though, don’t hold your breath for it.
+ 11 Jul 2010; Patrick Lauer <patrick@gentoo.org> mksh-39c.ebuild, + +files/mksh-39c-urandom-write.patch: + Fix for #307983, thanks to Fabian Koester Danke!