>>> Install parrot-5.0.0 into /var/tmp/portage/dev-lang/parrot-5.0.0/image/ category dev-lang make -j13 -l25 -j1 install-dev DESTDIR=/var/tmp/portage/dev-lang/parrot-5.0.0/image/ DOC_DIR=/usr/share/doc/parrot-5.0.0 gmake -C docs gmake[1]: Entering directory `/var/tmp/portage/dev-lang/parrot-5.0.0/work/parrot-5.0.0/docs' /usr/bin/perl5.12.4 -MExtUtils::Command -e mkpath ops /usr/bin/perl5.12.4 -MExtUtils::Command -e touch doc-prep /usr/bin/perldoc -ud packfile-c.pod ../src/packfile/api.c ACCESS DENIED open_rd: ../src/packfile/src/packfile/api.c ISE:write_logfile unable to append logfile ISE open_rd(../src/packfile/api.c): Permission denied abs_path: ../src/packfile/src/packfile/api.c res_path: ../src/packfile/src/packfile/api.c /usr/lib64/libsandbox.so(+0x3967)[0x7fc572c00967] /usr/lib64/libsandbox.so(+0x3a93)[0x7fc572c00a93] /usr/lib64/libsandbox.so(+0x52d4)[0x7fc572c022d4] /usr/lib64/libsandbox.so(open64+0xf3)[0x7fc572c06933] /usr/lib64/libperl.so.5.12(PerlIOUnix_open+0xa7)[0x7fc5729a8f47] /usr/lib64/libperl.so.5.12(PerlIOBuf_open+0xdb)[0x7fc5729a66bb] /usr/lib64/libperl.so.5.12(PerlIO_openn+0x2ab)[0x7fc5729a7e8b] /usr/lib64/libperl.so.5.12(Perl_do_openn+0x955)[0x7fc572980be5] /usr/lib64/libperl.so.5.12(Perl_pp_open+0x14b)[0x7fc57296c16b] /usr/lib64/libperl.so.5.12(Perl_runops_standard+0x20)[0x7fc572924190] /proc/29418/cmdline: /usr/bin/perl /usr/bin/perldoc -ud packfile-c.pod ../src/packfile/api.c Reproducible: Always Portage 2.2.0_alpha161 (default/linux/amd64/10.0, gcc-4.6.3, glibc-2.15-r3, 3.6.11-gentoo x86_64) ================================================================= System uname: Linux-3.6.11-gentoo-x86_64-Intel-R-_Core-TM-_i7_CPU_930_@_2.80GHz-with-gentoo-2.1 KiB Mem: 12297312 total, 741788 free KiB Swap: 25165820 total, 25160372 free Timestamp of tree: Fri, 25 Jan 2013 08:45:01 +0000 ld GNU ld (GNU Binutils) 2.22 distcc 3.1 x86_64-pc-linux-gnu [enabled] app-shells/bash: 4.2_p37 dev-java/java-config: 2.1.12-r1 dev-lang/python: 2.7.3-r2, 3.2.3 dev-util/cmake: 2.8.9 dev-util/pkgconfig: 0.27.1 sys-apps/baselayout: 2.1-r1 sys-apps/openrc: 0.11.8 sys-apps/sandbox: 2.5 sys-devel/autoconf: 2.13, 2.69 sys-devel/automake: 1.4_p6-r1, 1.11.6 sys-devel/binutils: 2.22-r1 sys-devel/gcc: 4.5.4, 4.6.3 sys-devel/gcc-config: 1.7.3 sys-devel/libtool: 2.4.2 sys-devel/make: 3.82-r4 sys-kernel/linux-headers: 3.6 (virtual/os-headers) sys-libs/glibc: 2.15-r3 Repositories: gentoo private dev-jokey x11 kde ACCEPT_KEYWORDS="amd64" ACCEPT_LICENSE="*" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-O3 -pipe -march=core2" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/config /usr/share/gnupg/qualified.txt /var/bind" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/init.d /etc/php/apache2-php5.4/ext-active/ /etc/php/cgi-php5.4/ext-active/ /etc/php/cli-php5.4/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo" CXXFLAGS="-O3 -pipe -march=core2" DISTDIR="/usr/portage/distfiles" FCFLAGS="-O2 -pipe" FEATURES="assume-digests binpkg-logs collision-protect config-protect-if-modified distcc distlocks ebuild-locks fixlafiles merge-sync multilib-strict news parallel-fetch preserve-libs protect-owned sandbox sfperms splitdebug strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox" FFLAGS="-O2 -pipe" GENTOO_MIRRORS="ftp://gentoo.mirrors.tds.net/gentoo http://mirror.datapipe.net/gentoo ftp://mirror.datapipe.net/gentoo http://gentoo.arcticnetwork.ca/ ftp://gentoo.arcticnetwork.ca/pub/gentoo/ http://gentoo.llarian.net/ ftp://gentoo.llarian.net/pub/gentoo" LANG="en_US.utf8" LC_ALL="en_US.utf8" LDFLAGS="-Wl,-O1 -Wl,--as-needed" MAKEOPTS="-j13 -l25" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/home/dmcbride/cvs/portdir-mine /usr/portage/local/layman/jokey /usr/portage/local/layman/x11 /usr/portage/local/layman/kde" SYNC="rsync://rsync.ca.gentoo.org/gentoo-portage" USE="X a52 aac acl acpi alsa amd64 apache2 audiofile avahi avi bash-completion berkdb branding bzip2 cairo cdda cddb cdparanoia cdr cli consolekit cracklib crypt css cups cxx dbus dri dvd dvdr dvdread enca encode exif expat ffmpeg fftw firefox fontconfig fortran gd gdbm gif gimp gmp gnutls gpm gs handbook htmlhandbook iconv imagemagick ipv6 java jbig jpeg jpeg2k kde kipi lcms libnotify lzma lzo mad mjpeg mmx mng modules mp3 mpeg mudflap multilib ncurses nls nptl nsplugin ogg opengl openmp pam pcre perl png policykit python qt4 rdesktop readline scanner sdl semantic-desktop session smp sse sse2 ssl subversion svg tcpd threads tiff truetype udev unicode vaapi vcd vde vorbis wmf x264 xcb xcomposite xinerama xml xulrunner xvid zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" LINGUAS="en" PHP_TARGETS="php5-3" PYTHON_SINGLE_TARGET="python2_7" PYTHON_TARGETS="python2_7 python3_2" QEMU_SOFTMMU_TARGETS="i386 x86_64" QEMU_USER_TARGETS="i386 x86_64" RUBY_TARGETS="ruby18 ruby19" USERLAND="GNU" VIDEO_CARDS="nvidia" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, USE_PYTHON
Created attachment 336960 [details] emerge --info + parrot-5.0.0 build.log Same here on ~amd64. >>> Install parrot-5.0.0 into /var/tmp/portage/dev-lang/parrot-5.0.0/image/ category dev-lang make -j9 V=1 -j1 install-dev DESTDIR=/var/tmp/portage/dev-lang/parrot-5.0.0/image/ DOC_DIR=/usr/share/doc/parrot-5.0.0 gmake -C docs gmake[1]: Entering directory `/var/tmp/portage/dev-lang/parrot-5.0.0/work/parrot-5.0.0/docs' /usr/bin/perl5.16.2 -MExtUtils::Command -e mkpath ops /usr/bin/perl5.16.2 -MExtUtils::Command -e touch doc-prep /usr/bin/perldoc -ud packfile-c.pod ../src/packfile/api.c * ACCESS DENIED: open_rd: ../src/packfile/src/packfile/api.c * ISE:write_logfile: unable to append logfile: /var/log/sandbox/sandbox-11523.log * ../../sandbox-2.6/libsandbox/libsandbox.c:check_syscall():879: failure (Bad file descriptor): * ISE: abs_path: ../src/packfile/src/packfile/api.c res_path: ../src/packfile/src/packfile/api.c /usr/lib64/libsandbox.so(+0xb4e1)[0x7f01380324e1] /usr/lib64/libsandbox.so(+0xb5e0)[0x7f01380325e0] /usr/lib64/libsandbox.so(+0x517a)[0x7f013802c17a] /usr/lib64/libsandbox.so(open64+0x6c)[0x7f01380302bc] /usr/lib64/libperl.so.5.16(PerlIOUnix_open+0xb1)[0x7f0137e27551] /usr/lib64/libperl.so.5.16(PerlIOBuf_open+0x1e5)[0x7f0137e25115] /usr/lib64/libperl.so.5.16(PerlIO_openn+0x299)[0x7f0137e26409] /usr/lib64/libperl.so.5.16(Perl_do_openn+0x99c)[0x7f0137dff03c] /usr/lib64/libperl.so.5.16(Perl_pp_open+0x18d)[0x7f0137ded74d] /usr/lib64/libperl.so.5.16(Perl_runops_standard+0x16)[0x7f0137da3d56] /proc/11523/cmdline: /usr/bin/perl /usr/bin/perldoc -ud packfile-c.pod ../src/packfile/api.c gmake[1]: *** [packfile-c.pod] Aborted gmake[1]: Leaving directory `/var/tmp/portage/dev-lang/parrot-5.0.0/work/parrot-5.0.0/docs' make: *** [docs.dummy] Error 2 emake failed
* ../../sandbox-2.6/libsandbox/libsandbox.c:check_syscall():879: failure (Bad file descriptor): ^^ what ?! :) I can't reproduce, what versions of portage and sandbox are involved? (perl 5.12 suggests y'all are using stable?)
(In reply to comment #2) > I can't reproduce, what versions of portage and sandbox are involved? > (perl 5.12 suggests y'all are using stable?) Please read the attachment in comment #1. I am seeing this on an ~amd64 system; perl-5.16.2, sandbox-2.6, portage-2.2.0_alpha161. The system currently has parrot-4.11.0 installed, and the update to 5.0.0 is failing with the described symptoms. Reproducible 100% of the time. If you can't reproduce this problem, feel free to give me any instructions for debugging it :)
(In reply to comment #2) > * ../../sandbox-2.6/libsandbox/libsandbox.c:check_syscall():879: failure > (Bad file descriptor): > > ^^ what ?! :) > > I can't reproduce, what versions of portage and sandbox are involved? > (perl 5.12 suggests y'all are using stable?) Yes, I'm using stable. (I have a dozen levels of perl installed elsewhere, so I may as well leave the system perl on stable :D ) As for the other levels... [IP-] [ ] sys-apps/portage-2.2.0_alpha161:0 [IP-] [ ] sys-apps/sandbox-2.5:0 So it looks like I'm nearly entirely dissimilar to Alexandre's system (different perl, different sandbox) and yet getting the same symptoms.
Same thing happening here, ~amd64; you can rule out portage being the issue: ================================================================= Package Manager Information: Package Name paludis Package Version 0.82.0 Build Date 2012-11-20T21:36:27+0000 Package information app-shells/bash 4.2_p42 dev-java/java-config (none) dev-lang/python 2.7.3-r3 3.2.3-r2 dev-util/ccache (none) dev-util/cmake 2.8.10.2-r1 dev-util/pkgconfig 0.28 sys-apps/baselayout 2.2 sys-apps/openrc 0.11.8 sys-apps/sandbox 2.6 sys-devel/autoconf 2.69 sys-devel/automake 1.11.6 1.12.6 1.13.1 sys-devel/binutils 2.23.1 sys-devel/gcc 4.6.3 sys-devel/gcc-config 1.8 sys-devel/libtool 2.4.2 sys-devel/make 3.82-r4 sys-freebsd/freebsd-lib (none) sys-kernel/linux-headers 3.7 sys-libs/glibc 2.16.0 sys-libs/uclibc (none)
auto::snprintf - Test snprintf......................................done. auto::perldoc - Is perldoc installed.................................no. auto::coverage - Are coverage analysis tools installed...lacking cover gcov2perl. Hmm, for some reason it avoids finding perldoc on my system. I'll have to see what it fails to do :)
parrot-5.1.0 has the same issue: >>> Install parrot-5.1.0 into /var/tmp/portage/dev-lang/parrot-5.1.0/image/ category dev-lang make -j13 -l25 -j1 install-dev DESTDIR=/var/tmp/portage/dev-lang/parrot-5.1.0/image/ DOC_DIR=/usr/share/doc/parrot-5.1.0 gmake -C docs gmake[1]: Entering directory `/var/tmp/portage/dev-lang/parrot-5.1.0/work/parrot-5.1.0/docs' /usr/bin/perl5.12.4 -MExtUtils::Command -e mkpath ops /usr/bin/perl5.12.4 -MExtUtils::Command -e touch doc-prep /usr/bin/perldoc -ud packfile-c.pod ../src/packfile/api.c ACCESS DENIED open_rd: ../src/packfile/src/packfile/api.c ISE:write_logfile unable to append logfile ISE open_rd(../src/packfile/api.c): Permission denied abs_path: ../src/packfile/src/packfile/api.c res_path: ../src/packfile/src/packfile/api.c /usr/lib64/libsandbox.so(+0x3967)[0x7f79b5531967] /usr/lib64/libsandbox.so(+0x3a93)[0x7f79b5531a93] /usr/lib64/libsandbox.so(+0x52d4)[0x7f79b55332d4] /usr/lib64/libsandbox.so(open64+0xf3)[0x7f79b5537933] /usr/lib64/libperl.so.5.12(PerlIOUnix_open+0xa7)[0x7f79b52d9f47] /usr/lib64/libperl.so.5.12(PerlIOBuf_open+0xdb)[0x7f79b52d76bb] /usr/lib64/libperl.so.5.12(PerlIO_openn+0x2ab)[0x7f79b52d8e8b] /usr/lib64/libperl.so.5.12(Perl_do_openn+0x955)[0x7f79b52b1be5] /usr/lib64/libperl.so.5.12(Perl_pp_open+0x14b)[0x7f79b529d16b] /usr/lib64/libperl.so.5.12(Perl_runops_standard+0x20)[0x7f79b5255190] /proc/15891/cmdline: /usr/bin/perl /usr/bin/perldoc -ud packfile-c.pod ../src/packfile/api.c
I've been seeing a slightly different variant of this, which I suspect might be another manifestation of the same problem: ... /usr/bin/perl5.16.2 -MExtUtils::Command -e touch doc-prep /usr/bin/perldoc -ud packfile-c.pod ../src/packfile/api.c Can't write-open packfile-c.pod: Permission denied at /usr/bin/perldoc line 10. gmake[1]: *** [packfile-c.pod] Error 13 gmake[1]: Leaving directory `/var/tmp/portage/dev-lang/parrot-5.1.0/work/parrot-5.1.0/docs' make: *** [docs.dummy] Error 2 emake failed * ERROR: dev-lang/parrot-5.1.0 failed (install phase): * (no error message) ... Adding RESTRICT="userpriv" to the ebuild was enough to fix it for me.
Weird. There's no good reason for this to be failing. Still Occurring in Parrot-5.3.0. ' Leaving directory `/var/tmp/portage/dev-lang/parrot-5.3.0/work/parrot-5.3.0/docs' Suggests that $PWD = /var/tmp/portage/dev-lang/parrot-5.3.0/work/parrot-5.3.0/docs' And manually resolving the path relative to that should be: /var/tmp/portage/dev-lang/parrot-5.3.0/work/parrot-5.3.0/src/packfile/api.c However, "abs_path: ../src/packfile/src/packfile/api.c" is weird, indicating something is getting confused and trying to resolve it as /var/tmp/portage/dev-lang/parrot-5.3.0/work/parrot-5.3.0/src/packfile/src/packfile/api.c instead. So, hacking perldoc to report $CWD: BEGIN { $^W = 1 if $ENV{'PERLDOCDEBUG'} } +use Cwd qw(cwd); +use Data::Dump qw(pp); +pp({ cwd => cwd(), args => \@ARGV }) use Pod::Perldoc; ... { args => ["-ud", "packfile-c.pod", "../src/packfile/api.c"], cwd => "/var/tmp/portage/dev-lang/parrot-5.3.0/work/parrot-5.3.0/docs", } Proving indeed, `perldoc` is being called from where we think it is, and in the way we think it should be. So, assuming something is wrong in the guts, I prematurely resolve paths in @ARGV pp({ cwd => cwd(), args => \@ARGV }); +for (@ARGV){ + next unless $_ =~ /^..\//; + $_ = abs_path($_); +} use Pod::Perldoc; And a new problem arises: No documentation found for "/var/tmp/portage/dev-lang/parrot-5.3.0/work/parrot-5.3.0/src/packfile/api.c" Huh? So Ripped out that code. Futher probing: # Works cd '/var/tmp/portage/dev-lang/parrot-5.3.0/work/parrot-5.3.0/' perldoc src/packfile/api.c # Doesn't cd '/var/tmp/portage/dev-lang/parrot-5.3.0/work/' perldoc parrot-5.3.0/src/packfile/api.c # No documentation found for "parrot-5.3.0/src/packfile/api.c". So I think its safe to say something weird is happening in PerlDoc, and that this problem may be a result of either Perldoc or one of its dependencies ( which may be provided by perl, or may be provided by perl-core/* )
Aha!. I think I've nailed it. Perldoc, when seeing its being run as root, drops privs to "nobody", because its got known security risks. require 5; BEGIN { $^W = 1 if $ENV{'PERLDOCDEBUG'} } warn "UID = $< EUID = $> GID = $( EGID = $)"; use Pod::Perldoc; ^^^ /usr/bin/perldoc -ud packfile-c.pod ../src/packfile/api.c UID = 0 EUID = 0 GID = 0 0 1 2 3 4 6 10 11 26 27 EGID = 0 0 1 2 3 4 6 10 11 26 27 at /usr/bin/perldoc line 9. So if you modify the code in Pod/Perldoc.pm to disable this, via early return from drop privs: sub drop_privs_maybe { my $self = shift; return; # rest of drop_privs_maybe } Then compilation succeeds. In essence, it appears the ACCESS DENIED violation is not so much caused by sandbox.... but caused by the privilege drop.
Created attachment 348498 [details, diff] parrot-5.3.0.ebuild.patch This is the first solution I've found that makes parrot build and install without requiring FEATURES="userpriv" it a) creates ${S}/src/docs/ops prematurely, because otherwise make creates that after we fix all the permissions up b) makes ${S}/src/docs and child directories world-writable, so that when perldoc drops to UID=nobody, it will still be able to write there c) makes ${S}/../ world read/execute so that perldoc can enter that directory as UID=nobody part c is notably the most nasty part of this, but there are not may alternatives, especially not alternatives that work outside portage. And additional note: if any other directories above ${S}/../ are not readable/accessible by UID=nobody, you have to either a) change that or b) use FEATURES="userpriv" Approach B suppresses the problem entirely, because `perldoc` only tries to drop privs when UID=0.
(In reply to comment #11) > b) use FEATURES="userpriv" If you look at the top comment where this bug is reported, the original reporter already had FEATURES=userpriv enabled. So do I. And yet we're getting this issue. So what you are fixing may be a similar yet unrelated problem if setting FEATURES=userpriv fixes it for you.
I just double-checked, I am also using FEATURES="userpriv" ( as well as usersandbox ). Hah. Odd. I just didn't think I did, because the install was running as UID=0 So it would seem either my portage is silently broken not doing FEATURES="userpriv", or that userpriv doesn't apply to src_install. Ok, so it would appear, that my approach (b) can't be expected to work either, for anyone :/
Parrot 5.4.0 still has this bug. ... and this patch still resolves it for me. > emerge --info | grep ^FEATURES | tr " " "\n" | grep -E "priv|sandbox" | tr "\n" " " # sandbox userpriv usersandbox cd /usr/portage/dev-lang/parrot/ wget -O /tmp/parrot.patch "https://bugs.gentoo.org/attachment.cgi?id=348498" patch ./parrot-5.4.0.ebuild < /tmp/parrot.patch repoman manifest emerge -vat1 parrot .... >>> Completed installing parrot-5.4.0 into /var/tmp/portage/dev-lang/parrot-5.4.0/image/ >>> Original instance of package unmerged safely. >>> dev-lang/parrot-5.4.0 merged. Please, try it and see. It works.
Created attachment 352002 [details, diff] files/5.5.0/perldoc.patch Alternative approach that should work with less fear inducing symptoms. Patches invocations of Perldoc to pipe stdout to file so privilege problems don't occur when perldoc drops privs. Only needs ebuild modified with : epatch "${FILESDIR}/${PV}/perldoc.patch" added to src_prepare
Related upstream bug: https://github.com/parrot/parrot/issues/520 Upstream patch pull: https://github.com/parrot/parrot/pull/973 If upstream are satisfied, then this problem will hopefully be fixed sometime soon in a future release =)
*** Bug 462244 has been marked as a duplicate of this bug. ***
+ 03 Sep 2013; Patrick Lauer <patrick@gentoo.org> +files/perldoc.patch, + parrot-5.6.0.ebuild: + Fix for #454058, at last