Summary: | genkernel fails because /var is mounted noexec | ||
---|---|---|---|
Product: | Gentoo Hosted Projects | Reporter: | Sascha Wuestemann <bigfoot> |
Component: | genkernel | Assignee: | Gentoo Genkernel Maintainers <genkernel> |
Status: | RESOLVED FIXED | ||
Severity: | enhancement | ||
Priority: | High | ||
Version: | unspecified | ||
Hardware: | x86 | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- |
Description
Sascha Wuestemann
2006-08-21 17:30:17 UTC
this is not a typo: #! /bin/sh Hi SpanKY, you are right. But the reason for the problem is near: I have mounted /tmp rw,noexec,mode=1777. This is seldom and not the gentoo default, but a security mean genkernel scripst should accept. Do you agree? If not, teach me. What filesystem is /var and /? /dev/hda3 on / type xfs (rw,noatime) /dev/hda4 on /var type xfs (rw,noexec,noatime) Is /var/tmp a separate partition? If so, what's the info on it? If not, how does *anything* merge properly on your system with noexec on /var? $ mount /dev/hda3 on / type xfs (rw,noatime) proc on /proc type proc (rw) sysfs on /sys type sysfs (rw,nosuid,nodev,noexec) udev on /dev type tmpfs (rw,nosuid) devpts on /dev/pts type devpts (rw) /dev/hda4 on /var type xfs (rw,noexec,noatime) /dev/hdd2 on /home type xfs (rw,noatime) /dev/hdd3 on /root type xfs (rw,noatime) /dev/hdc2 on /mnt/hdc2 type xfs (rw,noatime) /dev/hdc3 on /mnt/hdc3 type xfs (rw,noatime) /dev/hdc4 on /usr type xfs (rw,noatime) tmpfs on /dev/shm type tmpfs (rw) tmpfs on /tmp type tmpfs (rw,noexec,mode=1777) usbfs on /proc/bus/usb type usbfs (rw,noexec,nosuid,devmode=0664,devgid=85) automount(pid8060) on /misc type autofs (rw,fd=5,pgrp=8060,minproto=2,maxproto=3 ) capifs on /dev/capi type capifs (rw,mode=0666) rpc_pipefs on /var/lib/rpc_pipes type rpc_pipefs (rw) nfsd on /proc/fs/nfs type nfsd (rw) /mnt/hdc2/cd/Knoppix/v4.0.2_2005-09-23 on /cdrom type none (ro,bind) to answer almost _all_ mount questions. The final answer is this from my make.conf: PORTAGE_TMPDIR="/usr/tmp2" ...which I created a _really_ _very_ _long_ time ago, because my /var had run full because of ebuilds (/usr/tmp is a symlink to /var/tmp) those days. Must have mounted /var noexec later on when having read about mounting /tmp noexec was a good idea for security reasons and then I must have thought, hey, why not /var, too - there are also only data files to reside. - Which was right for a couple of years until now. Of course I could change that. But hey, what about the gentoo security concept about? And the genkernel-maintainer(s), too should think about it, don't you agree? I could append a really long list of applikations running fine at my system. Only emerge wants /var to be executable and now genkernel /tmp. As for now the problem is clear and the solution is near, what do you suggest? Well, genkernel doesn't need /tmp executable so much as /var, since it does its builds under /var/tmp, like portage does normally. We probably need to do a few things. First, we would need to patch genkernel to allow people to set the tmp directory, like portage does. Next, we would need to make sure genkernel does checks to ensure that this directory allows us to execute scripts. This really is annoying, and seems more like a waste of time to work around a problem that really shouldn't exist, but I digress. I'm sure we'll get to it eventually, but it definitely won't be a high priority. All ebuild-scripts I have used before, evaluate /etc/make.conf to get the PORTAGE_TMPDIR, "/usr/tmp2" in my case which is a mountpoint to a big partition. Only your package has "/var/tmp" which is the default PORTAGE_TMPDIR hard coded. But PORTAGE_TMPDIR is free changeable by the root user, so you have a major bug in your package and hard coded paths are basic mistakes where environment variables are in use, do you agree with that? I am really looking forward, if you would honor the facts that PORTAGE_TMPDIR is freely configurable and /var/tmp can be mountet nonexecutable - and that hardcoding paths where not matching all cases is a bad thing. (In reply to comment #8) > All ebuild-scripts I have used before, evaluate /etc/make.conf to get the > PORTAGE_TMPDIR, "/usr/tmp2" in my case which is a mountpoint to a big > partition. > Only your package has "/var/tmp" which is the default PORTAGE_TMPDIR hard > coded. > But PORTAGE_TMPDIR is free changeable by the root user, so you have a major bug > in your package and hard coded paths are basic mistakes where environment > variables are in use, do you agree with that? Only genkernel isn't an ebuild script. It's not tied to (well, shouldn't be) Portage in any way shape or form. Just use "genkernel --tempdir=/usr/blah/whatever". It's in the --help but not the manpage so I need to document this I guess. As Tim mentioned, genkernel is a "Gentoo Hosted Project" but doesn't necessarily *have* to run on Gentoo. In fact, it works perfectly fine on lots of non-Gentoo Linux machines. Because of this, we cannot rely on *anything* from make.conf, but we could make it an option in genkernel.conf, instead. If anyone has a patch for genkernel.conf (and genkernel to honor it) for this, that would be great. Otherwise, it's probably not going to happen until I get time to work on features like this (which will be a *long* time). This is in SVN now with the patch from bug #180161 Please test genkernel 3.4.9_prer1 or better. This should be fixed now. |