Tightvnc doesn't build on Gentoo-hardened when the server is built as well, because imake creates scripts in /tmp and executes them. When TPE is enabled, which it is on my system, /tmp is not a valid path for executables. Reproducible: Always Steps to Reproduce: 1. Switch to Gentoo hardened 2. Switch on TPE (Trusted Path Execution) in grsec 3. USE=server emerge tightvnc Actual Results: >>> Compiling source in /var/tmp/portage/net-misc/tightvnc-1.3.10-r1/work/vnc_unixsrc ... imake -DUseInstalled -I/usr/lib/X11/config sh: /var/tmp/portage/net-misc/tightvnc-1.3.10-r1/temp/imake1xwtEg: Permission denied /usr/bin/xmkmf: line 57: 21078 Aborted imake $imake_defines $args Expected Results: Just compiled. There is bug 289296, which suggests to remove imake altogether. I probably keep looking around for a work-around and update this bug as soon as I've found something.
We're not responsible for this.
Oh I forgot to mention that I have "userpriv" and "usersandbox" in my FEATURES and that I have: user@host ~ $ sudo sysctl -a | grep tpe Password: kernel.grsecurity.tpe = 1 kernel.grsecurity.tpe_gid = 1234 kernel.grsecurity.tpe_restrict_all = 1 and user@host ~ $ id portage uid=123(portage) gid=123(portage) groups=123(portage),1234(xyz) I just finished an `emerge -NuDv world` and also a big chunk `revdep-rebuild` and this is one of the few packages for which it didn't work.
I don't fully understand it, but the suggestions of bug 216908 seem to apply. Here my notes, before I give up on the issue: - I've determined using traceroute that imake chmod's the executable it creates to 0711 - I've determined using my kernel sources that in gr_tpe_allow() when I switch on grsec_enable_tpe_all either (inode->i_uid != cred->uid) [thus the uid of file must be different from the uid of the executer] or the executed file must be group- or world-writable for the problem to appear. - Since the executable is created by the same user as the one who will execute it (with FEATURES=userpriv this is portage) and it has permission 0711 it should have never matched. If anyone who stumbles over this can shed some light on what I can't see... that'd be highly appreciated. :) *** This bug has been marked as a duplicate of bug 216908 ***