Using 'su - -c <cmd>' in ebuilds/Makefiles/[...] makes it possible to bypass sandbox restrictions. Reproducible: Always Steps to Reproduce: 1. Make sure /root/sandb0x does not exist 2. create an ebuild containing "su - -c 'echo sandb0x was here > /root/sandb0x'" 3. install Actual Results: /root/sandb0x exists Expected Results: /root/sandb0x does not exist Portage 2.2_rc8 (default/linux/amd64/2008.0, gcc-4.3.1, glibc-2.8_p20080602-r0, 2.6.27-rc5-git7 x86_64) ================================================================= System uname: Linux-2.6.27-rc5-git7-x86_64-AMD_Phenom-tm-_9850_Quad-Core_Processor-with-glibc2.2.5 Timestamp of tree: Sat, 06 Sep 2008 09:15:01 +0000 distcc 2.18.3 x86_64-pc-linux-gnu (protocols 1 and 2) (default port 3632) [disabled] app-shells/bash: 3.2_p39 dev-java/java-config: 1.3.7, 2.1.6-r1 dev-lang/python: 2.5.2-r7 dev-python/pycrypto: 2.0.1-r6 sys-apps/baselayout: 2.0.0 sys-apps/openrc: 0.2.5 sys-apps/sandbox: 1.2.18.1-r3 sys-devel/autoconf: 2.13, 2.62-r1 sys-devel/automake: 1.5, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10.1-r1 sys-devel/binutils: 2.18-r3 sys-devel/gcc-config: 1.4.0-r4 sys-devel/libtool: 1.5.26 virtual/os-headers: 2.6.26 ACCEPT_KEYWORDS="amd64 ~amd64" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-O3 -pipe -fomit-frame-pointer -march=native" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/kde/4.1/env /usr/kde/4.1/share/config /usr/kde/4.1/shutdown /usr/share/config /var/spool/torque" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/terminfo /etc/texmf/web2c /etc/udev/rules.d" CXXFLAGS="-O3 -pipe -fomit-frame-pointer -march=native" DISTDIR="/usr/portage/distfiles" FEATURES="distlocks parallel-fetch preserve-libs sandbox sfperms strict unmerge-orphans userfetch" GENTOO_MIRRORS="http://mirrors.sec.informatik.tu-darmstadt.de/gentoo/ http://gentoo.mneisen.org/ http://de-mirror.org/distro/gentoo/ " LANG="en_US.utf8" LC_ALL="en_US.utf8" LDFLAGS="-Wl,-O1" LINGUAS="de ja" MAKEOPTS="-j6" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/portage/local/layman/kdesvn-portage /usr/portage/local/layman/desktop-effects /usr/portage/local/layman/zugaina /usr/portage/local/layman/sunrise /usr/portage/local/layman/roslin /usr/portage/local/azi" SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage" USE="3dnow 3dnowext X aac aalib accessibility acl acpi alsa amd64 apache2 audacious avahi berkdb bzip2 cairo cjk cli cpusets cracklib crypt cups curl cxx daap dbus dri dvd dvdread ebook encode exif extrafilters ffmpeg fftw flac fortran gcj gd gdbm gif gimp git glitz gnome gnuplot gnutls gphoto2 gpm grammar graphviz gs gstreamer gtk hash hddtemp hdri htmlhandbook httpd iconv imagemagick immqt-bc ipv6 irc isdnlog jabber java jpeg kde lame latex libcaca libvisual lm_sensors math mdnsresponder-compat midi migemo mmx mmxext mng mp3 mpeg mpi mplayer mudflap multilib ncurses network nls nptl nptlonly nsplugin ogg opengl openmp oss pam pango pcap pcre pdf perl png posix pppd python qt3 qt4 quicktime rar readline reflection ruby sandbox sdl sensord server session smp spell spl sqlite sqlite3 sse sse2 ssl subversion svg sysfs tcpd themes thesaurus threads tiff truetype unicode vim-syntax visual visualization vnc vorbis webdav webdav-neon webdav-serf wma x264 xcb xcomposite xinerama xml xorg xscreensaver xulrunner xvid yahoo zip zlib" ALSA_CARDS="hda-intel ens1371 ad1988" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CAMERAS="canon ptp2" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="de ja" USERLAND="GNU" VIDEO_CARDS="nv nvidia" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
Created attachment 164760 [details] example ebuild
I fail to see how that is a security issue. ebuilds have non-sandboxed phases running anyway (pkg_*), and makefiles and ebuilds must be considered trusted input. There is no trust boundaries crossed here, sandboxing is not meant to be a security measure. Please reopen if you disagree and reply with a more verbose reasoning.
