Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 319745 - net-misc/tightvnc-1.3.10-r1 doesn't build on Gentoo hardened with grsec TPE
Summary: net-misc/tightvnc-1.3.10-r1 doesn't build on Gentoo hardened with grsec TPE
Status: RESOLVED DUPLICATE of bug 216908
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: New packages (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Raúl Porcel (RETIRED)
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2010-05-14 17:53 UTC by Dirk Tilger
Modified: 2010-07-12 21:36 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Dirk Tilger 2010-05-14 17:53:37 UTC 
Tightvnc doesn't build on Gentoo-hardened when the server is built as well, because imake creates scripts in /tmp and executes them. When TPE is enabled, which it is on my system, /tmp is not a valid path for executables.

Reproducible: Always

Steps to Reproduce:
1. Switch to Gentoo hardened
2. Switch on TPE (Trusted Path Execution) in grsec
3. USE=server emerge tightvnc


Actual Results:  
>>> Compiling source in /var/tmp/portage/net-misc/tightvnc-1.3.10-r1/work/vnc_unixsrc ...
imake -DUseInstalled -I/usr/lib/X11/config
sh: /var/tmp/portage/net-misc/tightvnc-1.3.10-r1/temp/imake1xwtEg: Permission denied
/usr/bin/xmkmf: line 57: 21078 Aborted                 imake $imake_defines $args


Expected Results:  
Just compiled.

There is bug 289296, which suggests to remove imake altogether. I probably keep looking around for a work-around and update this bug as soon as I've found something.
Comment 1 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-05-14 17:54:41 UTC 
We're not responsible for this.
Comment 2 Dirk Tilger 2010-05-14 18:00:30 UTC 
Oh I forgot to mention that I have "userpriv"  and "usersandbox" in my FEATURES and that I have:

user@host ~ $ sudo sysctl -a | grep tpe
Password:
kernel.grsecurity.tpe = 1
kernel.grsecurity.tpe_gid = 1234
kernel.grsecurity.tpe_restrict_all = 1

and

user@host ~ $ id portage
uid=123(portage) gid=123(portage) groups=123(portage),1234(xyz)

I just finished an `emerge -NuDv world` and also a big chunk `revdep-rebuild` and this is one of the few packages for which it didn't work.
Comment 3 Dirk Tilger 2010-07-12 21:36:38 UTC 
I don't fully understand it, but the suggestions of bug 216908 seem to apply.

Here my notes, before I give up on the issue:
- I've determined using traceroute that imake chmod's the executable it creates to 0711
- I've determined using my kernel sources that in gr_tpe_allow() when I switch on grsec_enable_tpe_all either (inode->i_uid != cred->uid) [thus the uid of file must be different from the uid of the executer] or the executed file must be group- or world-writable for the problem to appear. 
- Since the executable is created by the same user as the one who will execute it (with FEATURES=userpriv this is portage) and it has permission 0711 it should have never matched.

If anyone who stumbles over this can shed some light on what I can't see... that'd be highly appreciated. :)

*** This bug has been marked as a duplicate of bug 216908 ***