109672 – firebird-1.5.2.ebuild set permissions, uncompatible with grsecurity

Bug 109672 - firebird-1.5.2.ebuild set permissions, uncompatible with grsecurity

Summary: firebird-1.5.2.ebuild set permissions, uncompatible with grsecurity

Status:	RESOLVED WONTFIX

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	x86 Linux

Importance:	High minor (vote)
Assignee:	Karol Wojtaszek (RETIRED)

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2005-10-17 23:46 UTC by vyp08
Modified:	2006-01-03 19:23 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description vyp08 2005-10-17 23:46:26 UTC

When "emerge firebird-1.5.2.ebuild", it run "chown -R firebird:firebird ${D}/opt/firebird". 
However, if in hardened-kernel set up:
CONFIG_GRKERNSEC_TPE=y
CONFIG_GRKERNSEC_TPE_ALL=y
CONFIG_GRKERNSEC_TPE_INVERT=y
CONFIG_GRKERNSEC_TPE_GID=5555

and in /etc/conf.d/firebird:
FBRunUser=firebird

then "/etc/init.d/firebird start":
/bin/sh: /opt/firebird/bin/fbmgr.bin: Permission denied
And /var/log/syslog:
Oct 18 10:38:37 host2 grsec: denied untrusted exec of /opt/firebird/bin/fbmgr.bin by /bin/
bash[sh:25147] uid/euid:450/450 gid/egid:450/450, parent /bin/su[su:27729] uid/euid:450/450 
gid/egid:450/450

For resolve this problem need "chown root -R /opt/firebird".


Reproducible: Always
Steps to Reproduce:




Portage 2.0.51.22-r2 (hardened/x86/2.6, gcc-3.3.5-20050130, glibc-2.3.5-r1, 2.6.11-hardened-
r15 i686)
=================================================================
System uname: 2.6.11-hardened-r15 i686 Intel(R) Celeron(R) CPU 2.60GHz
Gentoo Base System version 1.6.13
dev-lang/python:     2.3.5
sys-apps/sandbox:    1.2.12
sys-devel/autoconf:  2.13, 2.59-r6
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6
sys-devel/binutils:  2.15.92.0.2-r10
sys-devel/libtool:   1.5.18-r1
virtual/os-headers:  2.6.11-r2
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-mcpu=pentium4 -O2 -pipe"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3/share/config /usr/lib/X11/xkb /usr/
share/config /var/bind /var/qmail/control"
CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d"
CXXFLAGS="-O2 -mcpu=i386 -pipe -fforce-addr"
DISTDIR="/usr/local/p/distfiles"
FEATURES="autoconfig ccache distlocks sandbox sfperms strict"
GENTOO_MIRRORS="   http://mirror.aiya.ru/pub/gentoo/   http://gentoo.osuosl.org http://www.
ibiblio.org/pub/Linux/distributions/gentoo   http://ftp-test.csbnet.se/pub/linux/distributions/
gentoo/   http://mirror.pudas.net/gentoo/ http://mirror.gentoo.se   http://ds.thn.htu.se/linux/
gentoo http://ftp.du.se/pub/os/gentoo   http://gentoo.prz.rzeszow.pl http://gentoo.mirror.sdv.
fr   http://gentoo.zie.pg.gda.pl http://ftp.gentoo-pt.org/pub/gentoo   http://gentoo.ynet.sk/
pub http://mirror.etf.bg.ac.yu/gentoo   http://mirror.gentoo.no/ http://ftp.iasi.roedu.net/
mirrors/gentoo.org/   "
LANG="ru_RU.KOI8-R"
LC_ALL="ru_RU.KOI8-R"
PKGDIR="/usr/local/p/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage/"
PORTDIR_OVERLAY="/usr/local/p/distfiles/portage-my"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="acpi alsa avi berkdb crypt cups curl dlloader dvdr firebird fortran gd gdbm gif hardened 
imagemagick jabber jpeg lirc mbox milter mmx mmx2 mpeg ncurses nls nptl nptlonly oav ogg 
oggvorbis opengl pam perl pic png posix quicktime readline rtc sasl sdl slang sse sse2 ssl svga 
tcpd tiff truetype truetype-fonts ttf type1-fonts usb userlocales v4l vorbis wmf x86 xinetd xv 
zlib userland_GNU kernel_linux elibc_glibc"
Unset:  ASFLAGS, CTARGET, LDFLAGS, LINGUAS, MAKEOPTS

Comment 1 SpanKY gentoo-dev

2006-01-03 19:23:51 UTC

add an exception to your grsecurity rules