Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug
Bug#: 25931
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Mamoru KOMACHI (RETIRED) <usata@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: petre rodan (RETIRED) <kaiowas@gentoo.org>
Add CC:
CC:
URL:
Summary:
Status Whiteboard:
Keywords:

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 25931 depends on: Show dependency tree
Bug 25931 blocks:
Votes: 0    Show votes for this bug    Vote for this bug

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2003-08-04 23:02 0000 
some of the installed dirs containing binaries (and libraries) are 775.
on some systems that use grsecurity with the following flags enabled:

CONFIG_GRKERNSEC_TPE
CONFIG_GRKERNSEC_TPE_ALL

the execution of the binaries will be stopped by the system.
for instance:

Aug  4 20:37:58 [kernel] grsec: denied untrusted exec of
/opt/Acrobat5/Browsers/intellinux/nppdf.so by (mozilla-bin:27472) UID(1000)
EUID(1000), parent (wmaker:26706) UID(1000) EUID(1000)

quick solution:

find /opt/Acrobat5 -type d -exec bash -c 'chmod 755 {}' \;



Reproducible: Always
Steps to Reproduce:
0. use grsecurity with CONFIG_GRKERNSEC_TPE{,_ALL}=y
1. rsync
2. emerge acroread
3. acroread
4. tail /var/log/everything/current
5. find /opt/Acrobat5 -type d -exec bash -c 'chmod 755 {}' \;
6. acoread # now it works

Actual Results:  
Aug  4 20:37:58 [kernel] grsec: denied untrusted exec of
/opt/Acrobat5/Browsers/intellinux/nppdf.so by (mozilla-bin:27472) UID(1000)
EUID(1000), parent (wmaker:26706) UID(1000) EUID(1000)

Expected Results:  
emerge acroread should remove the group writable atribute (755).

Portage 2.0.48-r5 (default-x86-1.4, gcc-3.2.3, glibc-2.3.2-r1)
=================================================================
System uname: 2.4.21 i686 Intel(R) Pentium(R) 4 CPU 1.80GHz
GENTOO_MIRRORS="ftp://193.230.245.6/pub/mirrors/gentoo"
CONFIG_PROTECT="/etc /var/qmail/control /usr/share/config /usr/kde/2/share/confi
g /usr/kde/3/share/config /usr/X11R6/lib/X11/xkb"
CONFIG_PROTECT_MASK="/etc/gconf /etc/env.d"
PORTDIR="/usr/portage"
DISTDIR="/usr/portage/distfiles"
PKGDIR="/usr/portage/packages"
PORTAGE_TMPDIR="/var/public/tmp"
PORTDIR_OVERLAY=""
USE="x86 oss 3dnow apm avi crypt cups encode foomaticdb gif jpeg libg++ mad mikm
od mpeg ncurses nls pdflib png quicktime truetype xml2 xmms xv zlib gdbm berkdb 
slang readline tetex svga tcltk java mysql sdl gpm tcpd pam libwww perl python e
sd imlib oggvorbis mozilla cdr X gtk -gnome -alsa -kde -qt -arts opengl ssl mmx 
-motif -spell -emacs"
COMPILER="gcc3"
CHOST="i686-pc-linux-gnu"
CFLAGS="-march=i686 -O3 -pipe -fomit-frame-pointer"
CXXFLAGS="-march=i686 -O3 -pipe -fomit-frame-pointer"
ACCEPT_KEYWORDS="x86"
MAKEOPTS="-j2"
AUTOCLEAN="yes"
SYNC="rsync://193.230.245.6/gentoo-portage"
FEATURES="sandbox ccache"

------- Comment #1 From Mamoru KOMACHI (RETIRED) 2003-08-11 10:23:17 0000 ------- 
Fixed.  Thanks.
Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug