The emerge of sys-apps/coreutils-5.0.91 fails on my site. [...] Updating man page cp.1 Updating man page csplit.1 help2man: can't get `--help' info from cp.td/cp make[2]: *** [cp.1] Error 1 make[2]: *** Waiting for unfinished jobs.... make[2]: *** Waiting for unfinished jobs.... make[2]: *** Waiting for unfinished jobs.... make[2]: Leaving directory `/var/tmp/portage/coreutils-5.0.91/work/coreutils-5.0.91/man' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/var/tmp/portage/coreutils-5.0.91/work/coreutils-5.0.91' make: *** [all] Error 2 !!! ERROR: sys-apps/coreutils-5.0.91 failed. !!! Function src_compile, Line 111, Exitcode 2 !!! (no error message) The configure script far above produces additionally a sandbox violation: --------------------------- ACCESS VIOLATION SUMMARY --------------------------- LOG FILE = "/tmp/sandbox-coreutils-5.0.91-23155.log" symlink: / S
The emerge of sys-apps/coreutils-5.0.91 fails on my site. [...] Updating man page cp.1 Updating man page csplit.1 help2man: can't get `--help' info from cp.td/cp make[2]: *** [cp.1] Error 1 make[2]: *** Waiting for unfinished jobs.... make[2]: *** Waiting for unfinished jobs.... make[2]: *** Waiting for unfinished jobs.... make[2]: Leaving directory `/var/tmp/portage/coreutils-5.0.91/work/coreutils-5.0.91/man' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/var/tmp/portage/coreutils-5.0.91/work/coreutils-5.0.91' make: *** [all] Error 2 !!! ERROR: sys-apps/coreutils-5.0.91 failed. !!! Function src_compile, Line 111, Exitcode 2 !!! (no error message) The configure script far above produces additionally a sandbox violation: --------------------------- ACCESS VIOLATION SUMMARY --------------------------- LOG FILE = "/tmp/sandbox-coreutils-5.0.91-23155.log" symlink: / SÀÐ -------------------------------------------------------------------------------- vim shows this weird stuff when editing the named logfile: symlink: /^Y^P | ^C^\ | S$^HÀÐ^A
What's in "/tmp/sandbox-coreutils-5.0.91-23155.log" ? :)
Created attachment 20124 [details] Sandbox violation log It's partially binary, sorry.
symlink: /^Y^P | ^C^\ | S$^H
symlink: /^Y^P | ^C^\ | S$^HÀÐ^A So it's partially binary. (^ => Escape character) I attached it anyway.
emerge info please
Oops I forgot, sorry. phil@thrall phil $ emerge info Portage 2.0.49-r10 (default-x86-1.4, gcc-3.3.2, glibc-2.3.2-r8, 2.4.20-g2-r8-pp) ================================================================= System uname: 2.4.20-g2-r8-pp i686 Pentium III (Katmai) Gentoo Base System version 1.4.3.11 ccache version 2.3 [enabled] ACCEPT_KEYWORDS="x86 ~x86" AUTOCLEAN="yes" CFLAGS="-O3 -march=pentium3 -funroll-loops -pipe -fomit-frame-pointer -frerun-loop-opt -falign-functions=4 -fforce-mem -ffast-math -finline-functions -foptimize-sibling-calls -mmmx -fstack-protector" CHOST="i686-pc-linux-gnu" COMPILER="gcc3" CONFIG_PROTECT="/etc /var/qmail/control /usr/share/config /usr/kde/2/share/config /usr/kde/3/share/config" CONFIG_PROTECT_MASK="/etc/gconf /etc/env.d" CXXFLAGS="-O3 -march=pentium3 -funroll-loops -pipe -fomit-frame-pointer -frerun-loop-opt -falign-functions=4 -fforce-mem -ffast-math -finline-functions -foptimize-sibling-calls -mmmx -fstack-protector -Wno-deprecated" DISTDIR="/usr/portage/distfiles" FEATURES="sandbox ccache autoaddcvs" GENTOO_MIRRORS="http://mirrors.sec.informatik.tu-darmstadt.de/gentoo http://www.mirror.ac.uk/sites/www.ibiblio.org/gentoo/" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://rsync.de.gentoo.org/gentoo-portage" USE="x86 crypt gif imlib jpeg motif ncurses nls pdflib png xml2 zlib gdbm berkdb slang readline tcpd pam libwww perl python apache acl gd imap innodb ipv6 maildir mbox memlimit sasl slp snmp sse -oss -3dnow -apm -arts -avi -cups -encode -foomaticdb -gpm -gtk -java -kde -gnome -libg++ -mad -mikmod -mpeg -oggvorbis -opengl -qt -quicktime -sdl -spell -svga -truetype -X -xmms -xv ssl -apache2 mysql"
Ah - please update portage, as the sandbox issue is known, and should be solved in 2.0.49-r15. I will look into the other issue, but it may possibly be solved by the same fix as the sandbox one, as it relates to filenames being passed to glibc calls.
I can't. Of half of my binaries ldd tells that they're statically linked (however they aren't that big), so the glibc subversion detection locks up. I don't know how this happend, but many parts of my gentoo installation are not useable anymore. I can't merge many things, or I could and when I run the results they tell me something about libraries. I found nothing to these errors (although this is not related to this bug): phil@thrall phil $ irssi irssi: error while loading shared libraries: libperl.so.1: cannot enable executable stack as shared object requires: Permission denied I can't even reemerge these binaries. E.g. openssl fails on loading itself while emerging. Any hints? I didn't do something special to the installation, I did now reemerge binutils/gcc/glibc but the problem with the emerge of portage isn't yet fixed as the bash I compiled new is still considered static. phil@thrall phil $ file /bin/sh /bin/sh: symbolic link to `bash' phil@thrall phil $ file /bin/bash /bin/bash: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), for GNU/Linux 2.4.1, dynamically linked (uses shared libs), stripped phil@thrall phil $ ldd /bin/bash not a dynamic executable
Do you have grsecurity in kernel or such ? Selinux maybe ? What is the 'pp' in your 'uname -a' ?
Yes I have grsec, but this was never problem by now. I use gentoo-sources with the propolice patch enabled. (Which wasn't either a problem by now as I run for months without problems and this problem was before the recent kernel upgrade).
Can you try with grsec kernel please. Also note that a full system with propolice are known to cause issues, but we are working on this. Pappy, seen anything like this yet (comment #7)?
Yes I guess all packages are compiled with propolice. But these errors happend recently and the system runs with propolice since Jul 23. Do you mean without grsec? You wrote with, and that's the case already.
Sorry, WITHOUT grsec please.
Ok I'll do this ASAP (in the next days). Although my box gets quite unusable now, e.g. make menuconfig doesn't run anymore |: As said that's recently, I don't know what broke the machine, but I didn't do anything outside of gentoo/portage. If needed (and a GPG/SSH key provided) I could give access to the machine away, as I need this problem sorted out.
What should I do anyway with the new kernel? What should that change? I recompiled without grsec, please tell me what you want me to do.
azarah, Not 100% sure yet but gcc-3.3.x seems to add a new ELF section header called the PT_GNU_STACK and this may be root of the problem for (comment #7) Best I can tell so far is redhat added the PT_GNU_STACK for exec-shield, a patch that I hope Gentoo will have no part of as it's does not stand up so strong on it's own technical merits. I'll be researching more on the PT_GNU_STACK as time permits, any insights from your end would be appreciated.
Wed Sep 10 15:42:27 2003 gcc-3.2.3-r2 has been unmerged. Wed Sep 10 15:42:28 2003 gcc-3.3.1-r1 has been merged. Thu Oct 2 16:43:16 2003 gcc-3.3.1-r4 has been merged. Sat Oct 18 02:07:28 2003 gcc-3.3.1-r5 has been merged. Sun Nov 2 16:11:16 2003 gcc-3.3.2-r2 has been merged. But Sep 10 sounds very early to me. Perhaps a late 3.3.1 release than -r1 broke it? I have really no clue.
In the meantime I'll try to downgrade to 3.2.x as I really can't emerge anything that depends on libs (merely openssl). grsec shouldn't be the root of the problem, if you got any testcases to do I'll run them.
As far as I could see... For the problem stated in #7 gcc was the reason. The downgrade to the stable version 3.2.3 fixed the problems. For the main bug I'll check tomorrow.
Damn it. This is surely not a hardened issue. First time portage merged properly. Thu Nov 6 10:48:28 2003 portage-2.0.49-r15 has been merged. Thu Nov 6 10:53:17 2003 autoconf-2.57a-r1 has been merged. Thu Nov 6 10:54:39 2003 automake-1.7.8 has been merged. Now it fails again: root@thrall imcom # emerge portage Calculating dependencies ...done! >>> emerge (1 of 1) sys-apps/portage-2.0.49-r15 to / >>> md5 src_uri ;-) portage-2.0.49-r15.tar.bz2 >>> Unpacking source... >>> Unpacking portage-2.0.49-r15.tar.bz2 to /var/tmp/portage/portage-2.0.49-r15/work >>> Source unpacked. /usr/lib/gcc-lib/i686-pc-linux-gnu/3.2.3/../../../../i686-pc-linux-gnu/bin/as: error while loading shared libraries: /lib/libsandbox.so: cannot enable executable stack as shared object requires: Permission denied cc1: Broken pipe: error writing to - ./create-localdecls Checking truncate argument type... off_t Checking libc version... /usr/lib/gcc-lib/i686-pc-linux-gnu/3.2.3/../../../../i686-pc-linux-gnu/bin/as: error while loading shared libraries: /lib/libsandbox.so: cannot enable executable stack as shared object requires: Permission denied ldd: ./libctest: No such file or directory rm: cannot remove `libctest': No such file or directory gcc -march=i386 -O1 -pipe -Wall -c -D_GNU_SOURCE -DPIC -fPIC -D_REENTRANT libsandbox.c gcc -march=i386 -O1 -pipe -Wall -c -D_GNU_SOURCE -DPIC -fPIC -D_REENTRANT sandbox_futils.c gcc libsandbox.o sandbox_futils.o -shared -fPIC -ldl -lc -o libsandbox.so -nostdlib -lgcc /usr/lib/gcc-lib/i686-pc-linux-gnu/3.2.3/../../../../i686-pc-linux-gnu/bin/ld: error while loading shared libraries: /lib/libsandbox.so: cannot enable executable stack as shared object requires: Permission denied collect2: ld returned 127 exit status make: *** [libsandbox.so] Error 1 !!! ERROR: sys-apps/portage-2.0.49-r15 failed. !!! Function src_compile, Line 32, Exitcode 2 !!! (no error message) Without sandbox it merges, ok, but this can't be the solution because there is any fundamental problem. Other packages think that gcc can't create executables, probably because any lib claiming. Az, should I open a new bug with information? This is NOT related to any thing here, but it's very grave on my system. gcc-3.2.3 seemed to fix a lot (portage merged without problems the first time), but the effect was short. == The current emerge info == root@thrall imcom # emerge info Portage 2.0.49-r15 (default-x86-1.4, gcc-3.2.3, glibc-2.3.2-r8, 2.4.20-g2-r8-pp) ================================================================= System uname: 2.4.20-g2-r8-pp i686 Pentium III (Katmai) Gentoo Base System version 1.4.3.11 ccache version 2.3 [enabled] ACCEPT_KEYWORDS="x86 ~x86" AUTOCLEAN="yes" CFLAGS="-O3 -march=pentium3 -funroll-loops -pipe -fomit-frame-pointer -frerun-loop-opt -falign-functions=4 -fforce-mem -ffast-math -finline-functions -foptimize-sibling-calls -mmmx -fstack-protector" CHOST="i686-pc-linux-gnu" COMPILER="gcc3" CONFIG_PROTECT="/etc /var/qmail/control /usr/share/config /usr/kde/2/share/config /usr/kde/3/share/config" CONFIG_PROTECT_MASK="/etc/gconf /etc/env.d" CXXFLAGS="-O3 -march=pentium3 -funroll-loops -pipe -fomit-frame-pointer -frerun-loop-opt -falign-functions=4 -fforce-mem -ffast-math -finline-functions -foptimize-sibling-calls -mmmx -fstack-protector -Wno-deprecated" DISTDIR="/usr/portage/distfiles" FEATURES="sandbox ccache autoaddcvs" GENTOO_MIRRORS="http://mirrors.sec.informatik.tu-darmstadt.de/gentoo http://www.mirror.ac.uk/sites/www.ibiblio.org/gentoo/" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://rsync.de.gentoo.org/gentoo-portage" USE="x86 crypt gif imlib jpeg motif ncurses nls pdflib png xml2 zlib gdbm berkdb slang readline tcpd pam libwww perl python apache acl gd imap innodb ipv6 maildir mbox memlimit sasl slp snmp sse -oss -3dnow -apm -arts -avi -cups -encode -foomaticdb -gpm -gtk -java -kde -gnome -libg++ -mad -mikmod -mpeg -oggvorbis -opengl -qt -quicktime -sdl -spell -svga -truetype -X -xmms -xv ssl -apache2 mysql"
Solar, it seems that if you are correct, the damage is permanent, or it is something other than gcc-3.3.x ... Anybody ideas on what part of propolice/etdyn(if he uses it)/grsec could be causing that ? It may not be binutils that did not set the sections attribs right ?
*that* in previous comment is this: -- ./create-localdecls Checking truncate argument type... off_t Checking libc version... /usr/lib/gcc-lib/i686-pc-linux-gnu/3.2.3/../../../../i686-pc-linux-gnu/bin/as: error while loading shared libraries: /lib/libsandbox.so: cannot enable executable stack as shared object requires: Permission denied ldd: ./libctest: No such file or directory rm: cannot remove `libctest': No such file or directory
It is propolice/hardened related more than anything else if you ask me. Please leave CC intact.
It's a busted toolchain thing see bug #32765 for more details. comment #20 "permanent" <-- not an option for us.
Well, its only busted for hardened :/
Well it's really broken for everybody but only systems that are taking advantage of non executable stacks are making this show up.
Ah, and that's why it's related to harded. Ok. I'll disable this grsec protection for now.
Disabling of GRKERNSEC_PAX_NOEXEC fixed it. Thanks. Initial bug is fixed by portage -r15. So please put this bug to resolution fixed.
Philipp, can you try to add this patch to glibc-2.3.2-r8, remerge it, and then enabling GRKERNSEC_PAX_NOEXEC again please? http://bugs.gentoo.org/attachment.cgi?id=20445&action=view
You could probably close this bug. My main server where it happend had a HDD crash and on the new gentoo installation it runs with the patch now, although you get problems when installing from the old 1.4_rc4 stage3. Same problem again, you need the patch for sure.
closed to users discretion TIA Alex
