When emerging on Gentoo system I see following error quite often: ERROR: ld.so: object 'libsandbox.so' from LD_PRELOAD cannot be preloaded: ignored I tried re-emerging portage, sandbox but it does not make any difference. Reproducible: Always Portage 2.1.6.7 (default/linux/x86/2008.0/desktop, gcc-4.3.2, glibc-2.8_p20080602-r1, 2.6.30-rc2 i686) ================================================================= System uname: Linux-2.6.30-rc2-i686-Intel-R-_Pentium-R-_M_processor_1500MHz-with-glibc2.0 Timestamp of tree: Sat, 18 Apr 2009 09:00:14 +0000 app-shells/bash: 3.2_p39 dev-lang/python: 2.5.2-r7 dev-util/cmake: 2.4.8 sys-apps/baselayout: 2.0.0 sys-apps/openrc: 0.4.3-r1 sys-apps/sandbox: 1.6-r2 sys-devel/autoconf: 2.13, 2.63 sys-devel/automake: 1.9.6-r2, 1.10.2 sys-devel/binutils: 2.18-r3 sys-devel/gcc-config: 1.4.0-r4 sys-devel/libtool: 1.5.26 virtual/os-headers: 2.6.27-r2 ACCEPT_KEYWORDS="x86" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1 emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ARCH="x86" AUTOCLEAN="yes" CBUILD="i686-pc-linux-gnu" CFLAGS="-O2 -march=pentium-m -pipe" CHOST="i686-pc-linux-gnu" CLEAN_DELAY="5" COLLECTD_PLUGINS="battery cpu cpufreq disk exec filecount hddtemp netlink irq load memory network ntpd ping processes sensors swap tail tcpconns unixsock users wireless" COLLISION_IGNORE="/lib/modules" CONFIG_PROTECT="/etc" CONFIG_PROTECT_MASK="/etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/sandbox.d /etc/terminfo /etc/udev/rules.d" CVS_RSH="ssh" CXXFLAGS="-O2 -march=pentium-m -pipe" DBUS_SESSION_BUS_ADDRESS="unix:abstract=/tmp/dbus-gsoOB9Ewb2,guid=98e34b88989081b55099ea9549e9c90f" DESKTOP="Enlightenment-0.17.0" DESKTOP_STARTUP_ID="E_START|5" DISPLAY=":0.0" DISTDIR="/usr/portage/distfiles" EDITOR="/usr/bin/vim" ELIBC="glibc" EMERGE_DEFAULT_OPTS="--ask --verbose" EMERGE_WARNING_DELAY="10" E_CONF_PROFILE="default" E_IPC_SOCKET="/tmp/enlightenment-bruno/disp-:0.0-2098" E_RESTART="1" E_SCALE="1.000" E_START="enlightenment_start" E_START_TIME="1240058128.1" FEATURES="distlocks fixpackages parallel-fetch protect-owned sandbox sfperms strict unmerge-orphans userfetch userpriv usersandbox" FETCHCOMMAND="/usr/bin/wget -t 5 -T 60 --passive-ftp -O "${DISTDIR}/${FILE}" "${URI}"" GCC_SPECS="" GDK_USE_XFT="1" GENTOO_MIRRORS="ftp://ftp.home/Gentoo ftp://gentoo.inode.at/source" HOME="/root" HUSHLOGIN="FALSE" HZ="100" INFOPATH="/usr/share/info:/usr/share/binutils-data/i686-pc-linux-gnu/2.18/info:/usr/share/gcc-data/i686-pc-linux-gnu/4.3.2/info" INPUT_DEVICES="mouse evdev synaptics keyboard" KERNEL="linux" LANG="en_US.UTF-8" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LDFLAGS="-Wl,-O1" LESS="-R -M --shift 5" LESSOPEN="|lesspipe.sh %s" LINGUAS="en" LOGNAME="root" LS_COLORS="no=00:fi=00:di=01;34:ln=01;36:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=01;05;37;41:mi=01;05;37;41:su=37;41:sg=30;43:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.svgz=01;31:*.arj=01;31:*.taz=01;31:*.lzh=01;31:*.lzma=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.dz=01;31:*.gz=01;31:*.bz2=01;31:*.bz=01;31:*.tbz2=01;31:*.tz=01;31:*.deb=01;31:*.rpm=01;31:*.jar=01;31:*.rar=01;31:*.ace=01;31:*.zoo=01;31:*.cpio=01;31:*.7z=01;31:*.rz=01;31:*.jpg=01;35:*.jpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.svg=01;35:*.mng=01;35:*.pcx=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=01;35:*.m2v=01;35:*.mkv=01;35:*.ogm=01;35:*.mp4=01;35:*.m4v=01;35:*.mp4v=01;35:*.vob=01;35:*.qt=01;35:*.nuv=01;35:*.wmv=01;35:*.asf=01;35:*.rm=01;35:*.rmvb=01;35:*.flc=01;35:*.avi=01;35:*.fli=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:*.xwd=01;35:*.yuv=01;35:*.pdf=00;32:*.ps=00;32:*.txt=00;32:*.patch=00;32:*.diff=00;32:*.log=00;32:*.tex=00;32:*.doc=00;32:*.aac=00;36:*.au=00;36:*.flac=00;36:*.mid=00;36:*.midi=00;36:*.mka=00;36:*.mp3=00;36:*.mpc=00;36:*.ogg=00;36:*.ra=00;36:*.wav=00;36:" MAKEOPTS="-j2" MANPATH="/usr/local/share/man:/usr/share/man:/usr/share/binutils-data/i686-pc-linux-gnu/2.18/man:/usr/share/gcc-data/i686-pc-linux-gnu/4.3.2/man" NETBEANS="apisupport cnd groovy gsf harness ide identity j2ee java mobility nb php profiler soa visualweb webcommon websvccommon xml" OPENGL_PROFILE="xorg-x11" PAGER="/usr/bin/less" PANTS="ON" PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin:/usr/i686-pc-linux-gnu/gcc-bin/4.3.2" PKGDIR="/usr/portage/packages" PORTAGE_ARCHLIST="ppc s390 amd64 x86 ppc64 x86-fbsd m68k arm sparc sh mips ia64 alpha hppa amd64-fbsd sparc-fbsd" PORTAGE_BINHOST_CHUNKSIZE="3000" PORTAGE_BIN_PATH="/usr/lib/portage/bin" PORTAGE_COMPRESS_EXCLUDE_SUFFIXES="css gif htm[l]? jp[e]?g js pdf png" PORTAGE_CONFIGROOT="/" PORTAGE_COUNTER_HASH="7b51ecf772689547e0d3305f74d0fbff" PORTAGE_DEBUG="0" PORTAGE_DEPCACHEDIR="/var/cache/edb/dep" PORTAGE_ELOG_CLASSES="warn error log" PORTAGE_ELOG_MAILFROM="portage@localhost" PORTAGE_ELOG_MAILSUBJECT="[portage] ebuild log for ${PACKAGE} on ${HOST}" PORTAGE_ELOG_MAILURI="root" PORTAGE_ELOG_SYSTEM="save" PORTAGE_FETCH_CHECKSUM_TRY_MIRRORS="5" PORTAGE_FETCH_RESUME_MIN_SIZE="350K" PORTAGE_GID="250" PORTAGE_INST_GID="0" PORTAGE_INST_UID="0" PORTAGE_NICENESS="5" PORTAGE_PYM_PATH="/usr/lib/portage/pym" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_RSYNC_RETRIES="3" PORTAGE_TMPDIR="/var/tmp" PORTAGE_VERBOSE="1" PORTAGE_WORKDIR_MODE="0700" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/var/lib/layman/enlightenment /home/mirror/Gentoo/overlay" PROFILE_ONLY_VARIABLES="ARCH ELIBC KERNEL USERLAND" PWD="/root" RESUMECOMMAND="/usr/bin/wget -c -t 5 -T 60 --passive-ftp -O "${DISTDIR}/${FILE}" "${URI}"" ROOT="/" ROOTPATH="/opt/bin:/usr/i686-pc-linux-gnu/gcc-bin/4.3.2" RPMDIR="/usr/portage/rpm" SHELL="/bin/bash" SHLVL="3" SSH_AGENT_PID="2090" SSH_AUTH_SOCK="/tmp/ssh-YbaJSL2088/agent.2088" SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage" TERM="xterm" USE="X acl acpi alsa branding bzip2 cairo caps cdr cracklib cups curl dbus dri dvd dvdread fam gif gpm gtk iconv idn ipv6 jpeg midi mmx mp3 mpeg ncurses nptl nptlonly ogg opengl pcre pdf png ppds quicktime readline samba scb sdl spell sse sse2 ssl svg syslog tiff truetype unicode usb vorbis wifi win32codecs x86 xattr xine xinerama xml xorg xulrunner xv zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1 emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" COLLECTD_PLUGINS="battery cpu cpufreq disk exec filecount hddtemp netlink irq load memory network ntpd ping processes sensors swap tail tcpconns unixsock users wireless" ELIBC="glibc" INPUT_DEVICES="mouse evdev synaptics keyboard" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en" USERLAND="GNU" VIDEO_CARDS="intel" USER="root" USERLAND="GNU" USE_EXPAND="ALSA_CARDS ALSA_PCM_PLUGINS APACHE2_MODULES APACHE2_MPMS CAMERAS COLLECTD_PLUGINS CROSSCOMPILE_OPTS DVB_CARDS ELIBC FCDSL_CARDS FOO2ZJS_DEVICES FRITZCAPI_CARDS INITNG_PLUGINS INPUT_DEVICES KERNEL LCD_DEVICES LINGUAS LIRC_DEVICES MISDN_CARDS NETBEANS_MODULES USERLAND VIDEO_CARDS" USE_EXPAND_HIDDEN="CROSSCOMPILE_OPTS ELIBC KERNEL USERLAND" USE_ORDER="env:pkg:conf:defaults:pkginternal:env.d" VIDEO_CARDS="intel" WINDOWID="20971533" XTERM_LOCALE="en_US.UTF-8" XTERM_SHELL="/bin/bash" XTERM_VERSION="XTerm(242)" _="/usr/bin/emerge"
Please run FEATURES="-sandbox" emerge -1 sandbox and report wether this fixed your problem. If yes, mark this bug as duplicate of bug #265895
Reopen this bug when you provide the requested information.
(In reply to comment #1) > Please run > > FEATURES="-sandbox" emerge -1 sandbox > > and report wether this fixed your problem. If yes, mark this bug as duplicate > of bug #265895 Running FEATURES="-sandbox" emerge -1 sandbox (still shows the error message) then emerge --oneshot portage and I still get the same error. I also removed sandbox from FEATURES in /etc/make.conf, reemerged sandbox and portage, but when I readd sandbox to FEATURES the same error is back again.
make sure you dont have any stray libsandbox.so libs laying around in your system. there should only be the one in /usr/lib/. try running `sandbox` manually and then a few programs to see if you get the same error.
I tried to find out on which commands portage triggers the ERROR message. To do this I added " -x" to first line of /usr/lib/portage/bin/ebuild.sh This produced a lot of output including the following lines: + mv /var/tmp/portage/sys-apps/portage-2.1.6.7/temp/environment.filtered /var/tmp/portage/sys-apps/portage-2.1.6.7/temp/environment ERROR: ld.so: object 'libsandbox.so' from LD_PRELOAD cannot be preloaded: ignored. I tried to reproduce it manually by calling mv and also got the error: me # sandbox mv dummy dummy1 sandbox mv dummy dummy1 ERROR: ld.so: object 'libsandbox.so' from LD_PRELOAD cannot be preloaded: ignored. Running the same as root does not complain, running as user portage complains again. So it looks like sandbox cannot be loaded properly as normal user for *some* commands but has no issues for others. me # sandbox /bin/ls / OK me # sandbox /bin/mv --help ERROR Both ls and mv come from coreutils
I also scanned my system for files containing sandbox in their names and all I found (in /bin, /sbin, /lib, /usr) were: /usr/bin/sandbox.orig /usr/bin/sandbox /usr/lib/libsandbox.la /usr/lib/libsandbox.so /usr/lib/python2.5/site-packages/setuptools/sandbox.py /usr/lib/python2.5/site-packages/setuptools/sandbox.pyc /usr/lib/python2.5/site-packages/setuptools/sandbox.pyo /usr/share/cvs/contrib/sandbox_status /usr/share/doc/sandbox-1.6-r2 /usr/share/sandbox /usr/share/sandbox/sandbox.bashrc So there is definitely no stale sandbox version hanging around.
/usr/bin/sandbox.orig obviously shouldnt exist what does `file` show when run on ls and mv ? what are the permissions on the libsandbox.so library ?
Created attachment 189528 [details] /bin/ls, /bin/mv, /usr/lib/libsandbox.so The sandbox.orig is me renaming /usr/bin/sandbox and putting a replacement shell wrapper calling the original instance after printing out the command line (was in order to determine callers of sandbox during emerge so I could catch failing apps more quickly) I notice no real difference between mv and ls. In case you want to have a look at the binaries themselves, I attached /bin/ls, /bin/mv and /usr/lib/sandbox.so (in a tar archive). strace on /bin/mv did not show anything useful either: ... [pid 22917] open("/usr/lib/sse2/libsandbox.so", O_RDONLY) = -1 ENOENT (No such file or directory) [pid 22917] stat64("/usr/lib/sse2", 0xbfdd6884) = -1 ENOENT (No such file or directory) [pid 22917] open("/usr/lib/libsandbox.so", O_RDONLY) = 3 [pid 22917] read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\300\33\0\0004\0\0\0\274"..., 512) = 512 [pid 22917] fstat64(3, {st_mode=S_IFREG|0755, st_size=50636, ...}) = 0 [pid 22917] close(3) = 0 [pid 22917] writev(2, [{"ERROR: ld.so: object '"..., 22}, {"libsandbox.so"..., 13}, {"' from "..., 7}, {"LD_PRELOAD"..., 10}, {" cannot be preloaded: ignored.\n"..., 31}], 5ERROR: ld.so: object 'libsandbox.so' from LD_PRELOAD cannot be preloaded: ignored. ) = 83 file /bin/mv /bin/mv: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), for GNU/Linux 2.6.9, dynamically linked (uses shared libs), stripped file /bin/ls /bin/ls: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), for GNU/Linux 2.6.9, dynamically linked (uses shared libs), stripped ls -l /usr/lib/libsandbox.so -rwxr-xr-x 1 root root 50636 2009-04-23 18:19 /usr/lib/libsandbox.so
Ok, now I know what's the detail to cause this. Here are the full steps (should work on any system with CONFIG_SECURITY_FILE_CAPABILITIES=y: root# emerge sys-apps/coreutils root# touch /tmp/dummy rout# mv /tmp/dummy /tmp/dummy1 root# setcap "cap_setfcap=ie cap_chown=ie" /bin/mv root# mv /tmp/dummy1 /tmp/dummy root# setcap -r /bin/mv root# mv /tmp/dummy /tmp/dummy1 Repeating the same as a normal user: user# su root# emerge sys-apps/coreutils root# exit user# touch /tmp/dummy user# mv /tmp/dummy /tmp/dummy1 user# su root# setcap "cap_setfcap=ie cap_chown=ie" /bin/mv root# exit user# mv /tmp/dummy1 /tmp/dummy ERROR: ld.so: object 'libsandbox.so' from LD_PRELOAD cannot be preloaded: ignored. user# su root# setcap -r /bin/mv root# exit user# mv /tmp/dummy /tmp/dummy1 So for some reason sandbox loading fails when file-capabilities are used to restrict what capabilities a process may get...
you set those file caps yourself right ? i'm not aware of any ebuild doing this for you. off the top of my head though, i dont know why it would make any difference at all
(In reply to comment #10) > you set those file caps yourself right ? i'm not aware of any ebuild doing > this for you. Exact, I played a bit with file caps. Don't know any ebuild that would handle file caps (there was a thread on gentoo-dev about file caps some time ago, but I have not heard of anything hitting the tree) > off the top of my head though, i dont know why it would make any difference at > all Especially those flags I did set for mv should not have any affect for a system user (they should just reduce caps for root).
Not that I know how file capabilities work, so maybe of less help at all, but I just have seen this in Prefix on RHEL 5.2 (does not cause the merge to stop): ACCESS DENIED open_wr: /selinux/context
i think dont think that is related in any way to this bug
I hit this bug on a stable x86 system while trying to install games-rpg/nwn-data. The ebuild fall into an endless loop like this : > >>> Unpacking source... > ERROR: ld.so: object 'libsandbox.so' from LD_PRELOAD cannot be preloaded: ignored. > Please insert your first Neverwinter Nights CD/DVD into your drive and > press any key to continue > ERROR: ld.so: object 'libsandbox.so' from LD_PRELOAD cannot be preloaded: ignored. > Please insert your first Neverwinter Nights CD/DVD into your drive and > press any key to continue > ^C I must hit ctrl+c to abort. I then read the nwn-data ebuild, and found that the CD_ROOT autodetection is broken for me because the mount command always return this error if executed into the sandbox without root privileges (FEATURES="userpriv"). > $ sandbox mount > ERROR: ld.so: object 'libsandbox.so' from LD_PRELOAD cannot be preloaded: ignored. > /dev/sda1 on / type ext4 (rw,noatime) The workaround for me is simple : export CD_ROOT="/my/cd/path" before emerging nwn-data, but now I know that CD autodetection from ebuilds is broken for me. sandbox-1.6-r2 installed.
I also run into this problem with a machine running X86_64 version. Looks like libsandbox.so/la are installed into /usr/lib32 and /usr/lib64. My fix is creating symlinks from /usr/lib32/libsandbox.so/la to /usr/lib/libsandbox.so/la. sys-apps/sandbox-1.6-r2 must has a bug at least for x86_64 version. Simon
A better solution is to add /usr/lib32 and /usr/lib64 to /etc/ld.so.conf file. Then run ldconfig. Simon
that has nothing to do with this bug, nor do i know what you're talking about. open a new bug for your issue with proper info & full logs.
thinking about it some more, i think this is expected behavior. you're running with FEATURES=userpriv, and setting capabilities on a program have pretty much the same general practical implications of doing set*id on the binary. since you're executing `mv` as non-root, glibc's ldso will ignore LD_PRELOAD for security protection (ignore symbol interposition, constructors, etc...). in other words, i dont think there's any way this can be "fixed".
