The squid configure script runs "rpm -q -l heimdal-devel", causing a sandbox violation. >>> Source configured. --------------------------- ACCESS VIOLATION SUMMARY --------------------------- LOG FILE "/var/log/sandbox/sandbox-31720.log" VERSION 1.0 FORMAT: F - Function called FORMAT: S - Access Status FORMAT: P - Path as passed to function FORMAT: A - Absolute Path (not canonical) FORMAT: R - Canonical Path FORMAT: C - Command Line F: open_wr S: deny P: /var/lib/rpm/__db.001 A: /var/lib/rpm/__db.001 R: /var/lib/rpm/__db.001 C: rpm -q -l heimdal-devel F: open_wr S: deny P: /var/lib/rpm/__db.Name A: /var/lib/rpm/__db.Name R: /var/lib/rpm/__db.Name C: rpm -q -l heimdal-devel F: open_wr S: deny P: /var/lib/rpm/__db.Name A: /var/lib/rpm/__db.Name R: /var/lib/rpm/__db.Name C: rpm -q -l heimdal-devel F: open_wr S: deny P: /var/lib/rpm/__db.001 A: /var/lib/rpm/__db.001 R: /var/lib/rpm/__db.001 C: rpm -q -l heimdal-devel F: open_wr S: deny P: /var/lib/rpm/__db.Name A: /var/lib/rpm/__db.Name R: /var/lib/rpm/__db.Name C: rpm -q -l heimdal-devel F: open_wr S: deny P: /var/lib/rpm/__db.Name A: /var/lib/rpm/__db.Name R: /var/lib/rpm/__db.Name C: rpm -q -l heimdal-devel -------------------------------------------------------------------------------- squid-3.1.15/helpers/negotiate_auth/squid_kerb_auth/configure.ac uses the following logic (rewrapped for increased readability): Linux) if test "x$enableval" != "xyes" -a \ "x$enableval" != "x" -a \ "x$enableval" != "xno" ; then ac_libdir=$enableval/lib ac_includedir=$enableval/include else ac_libdir=`rpm -q -l heimdal-devel 2>/dev/null \ | grep "/libroken" | sed -e 's/\/libroken.*//' | head -1` ac_includedir=`rpm -q -l heimdal-devel 2>/dev/null \ | grep /krb5.h$ | sed -e 's/\/krb5.h//' | head -1` fi The autodetection of mit kerberos seems to take the same route. So perhaps one could attempt to pass /usr into that $enableval variable, using --enable-heimdal=${EPREFIX}/usr and --enable-mit=${EPREFIX}/usr, respectively.
Created attachment 286071 [details, diff] Proposed patch Checked, works as expected for me. Haven't runtime-tested kerberos support, though, and won't be able to do so due to lack of working kerberos setup.
Can you post emerge --info please? Thank you.
Created attachment 286131 [details] emerge --info Here it is, but I doubt it will tell you any more than the squid build files or the attached patch will tell you. For completeness, I've got app-crypt/heimdal-1.5 installed here, as well as app-arch/rpm-4.9.0.
Proposed ebuild patch a month ago, please have a look at simply apply that bugger.
Still an issue with squid 3.1.16. Is there anything more I can do to get this patch landed in the main portage tree? Do you have any concerns about my solution having ill effects in some cases? I cannot imagine any such cases.
(In reply to comment #5) > Is there anything more I can do to get this patch landed in the main portage > tree? I am not the maintainer for squid. But I will take a look at this bug if there is no word from net-proxy herd and I bump squid again.
Still an issue with squid 3.1.18. Please fix this or officially drop kerberos suppoert!
+*squid-3.1.19 (09 Mar 2012) + + 09 Mar 2012; Eray Aslan <eras@gentoo.org> +squid-3.1.19.ebuild: + Non-maintainer version bump - bug #407337. Fix sandbox violation - bug + #382535 +