I am trying to install openoffice on hardened-gentoo from binary. No luck at it. # emerge app-office/openoffice-bin Calculating dependencies ...done! >>> emerge (1 of 1) app-office/openoffice-bin-1.1.5 to / >>> md5 files ;-) openoffice-bin-1.1.1.ebuild >>> md5 files ;-) openoffice-bin-1.1.4-r1.ebuild >>> md5 files ;-) openoffice-bin-1.1.5.ebuild >>> md5 files ;-) openoffice-bin-2.0.0_rc1.ebuild >>> md5 files ;-) files/digest-openoffice-bin-1.1.1 >>> md5 files ;-) files/digest-openoffice-bin-1.1.4-r1 >>> md5 files ;-) files/digest-openoffice-bin-1.1.5 >>> md5 files ;-) files/digest-openoffice-bin-2.0.0_rc1 >>> md5 files ;-) files/1.1.1/ooffice-wrapper-1.3 >>> md5 files ;-) files/1.1.4/ooffice-wrapper-1.3 >>> md5 files ;-) files/1.1.5/ooffice-wrapper-1.3 >>> md5 files ;-) files/2.0.0/ooo-wrapper2 >>> md5 src_uri ;-) OOo_1.1.5_LinuxIntel_install.tar.gz >>> Unpacking source... >>> Unpacking OOo_1.1.5_LinuxIntel_install.tar.gz to /var/tmp/portage/openoffice-bin-1.1.5/work >>> Source unpacked. >>> Test phase [not enabled]: app-office/openoffice-bin-1.1.5 >>> Install openoffice-bin-1.1.5 into /var/tmp/portage/openoffice-bin-1.1.5/image/ category app-office * Installing OpenOffice.org into build root... glibc version: 2.3.5 Initializing installation program.................... /var/tmp/portage/openoffice-bin-1.1.5/temp/sv001.tmp/setup.bin: error while loading shared libraries: /var/tmp/portage/openoffice-bin-1.1.5/temp/sv001.tmp/libicudata.so.22: cannot make segment writable for relocation: Permission denied !!! ERROR: app-office/openoffice-bin-1.1.5 failed. !!! Function src_install, Line 85, Exitcode 127 !!! Setup failed !!! If you need support, post the topmost build error, NOT this status message. # Reproducible: Always Steps to Reproduce: 1. emerge openoffice-bin Actual Results: installation is broken Expected Results: Bush reinvesting the whole military budget in third-world development, Bill to sell microsoft and invest milliards in the creation of cooperative-type enterprise in Opensource field. Stoping propaganda and brainwashing, having a better educational system, more social justice and help. OpenOffice would install fine. This is not easily fixable because the guilty library (libicudata.so.22) (well probably others) are extracted in runtime. So even if you use 'ebuild' to 'unpack' it first, then run ./setup manually, you still have to win some race with the installation to be able to stop it when the setup.bin and the library got extracted... got it ? The solution would be to simply have a openoffice-bin compiled without textrel, or at least, to have it compiled with PaX PHDR flags disabled (and a little warning about that when installing on hardened). Surprise than nobody reported it before. Look like hardened people don't use openoffice, bouh. P.S : OpenOffice is always decompressing the file in the same /tmp/sv001.tmp/ directory. Now imagine the following scenario. A hackers made his way to your machine. He is waiting since 3 month that you install the new version of OpenOffice. A program of him is running 24/24 checking for an emerge process installing openoffice. Now the program run. Youpi ! He can finally root the machine. How good. Well, I will just speak about it on #gentoo-security and wait that Eric Romang publish a great zataz audit security advisory on bugtraq :*. Beware.
As a workaround I recommend the following : # ebuild /usr/portage/app-office/openoffice-bin/openoffice-bin-1.1.5.ebuild unpack # cd /var/tmp/portage/openoffice-bin-1.1.5/work/OOo_1.1.5_LinuxIntel_install # ./setup [HERE press Control-Z at 95%, and run chpax -permxs /tmp/sv0001.tmp/setup.bin] # bg \o/ \o\ /o/ \o/
You can build openoffice from source, on a PaX-enabled system (well, you could at 1.1.4 not sure about 1.1.5, see bug #88588). Given that the binaries are not built for a PaX-enabled system, there's not a lot that can be done without repackaging the whole thing. Note also that if you use externally-provided binaries (like this one), you don't get ASLR for them as the binaries are ET_EXEC not ET_DYN (i.e. they're not PIEs). BTW it should be enough to set the 'm' flag in addition to the default 'x' and 'e'. You shouldn't need p. s and r. You'll probably also need to set 'm' on /opt/OpenOffice.org/program/*.bin as well.