When upgrading to sys-boot/grub-0.97-r10, the following message appears, but grub installs successfully: * Copying files from /lib/grub, /usr/lib/grub and /usr/share/grub to //boot/grub grub: asmstub.c:215: grub_stage2: Assertion `simstack_alloc_base != ((void *) -1)' failed. /var/tmp/portage/sys-boot/grub-0.97-r10/temp/environment: line 4182: 24477 Done egrep -v '^[[:space:]]*(#|$|default|fallback|initrd|password|splashimage|timeout|title)' "${grub_config}" 24478 Aborted | /sbin/grub --batch --device-map="${dir}"/device.map > /dev/null * Grub has been installed to //boot successfully. Running grub from the shell aborts like this: # grub grub: asmstub.c:215: grub_stage2: Assertion `simstack_alloc_base != ((void *) -1)' failed. Aborted This could block users from properly installing Gentoo with grub as the bootloader.
full build.log please
Please attach the build log, post your `emerge --info' in a comment and reopen this bug report.
Created attachment 241093 [details] build.log This is actually the log from PORT_LOGDIR, since there is no build.log in PORTAGE_TMPDIR even when using FEATURES=noclean.
Created attachment 241095 [details] emerge --info emerge --info with some irrelevant information filtered out.
Reopening(In reply to comment #2) > Please attach the build log, post your `emerge --info' in a comment and reopen > this bug report. Ah, sry - I attached "emerge --info" as a file instead. Reopening.
(In reply to comment #3) > Created an attachment (id=241093) [details] > build.log > > This is actually the log from PORT_LOGDIR, since there is no build.log in > PORTAGE_TMPDIR even when using FEATURES=noclean. Naturally.
(In reply to comment #4) > Created an attachment (id=241095) [details] > emerge --info > > emerge --info with some irrelevant information filtered out. You don't get to decide what's irrelevant or how do you expect to receive support? Please tell us what you left out and why you think it's irrelevant.
I filtered out the following environment variables: CONFIG_PROTECT, CONFIG_PROTECT_MASK, DISTDIR, GENTOO_MIRRORS, PKGDIR, PORTAGE_RSYNC_EXTRA_OPTS, PORTAGE_RSYNC_OPTS, PORTAGE_TMPDIR, PORTDIR, PORTDIR_OVERLAY, SYNC And from USE: ALSA_CARDS, ALSA_PCM_PLUGINS, APACHE2_MODULES, INPUT_DEVICES, LCD_DEVICES, QEMU_SOFTMMU_TARGETS, QEMU_USER_TARGETS, RUBY_TARGETS, VIDEO_CARDS, XTABLES_ADDONS Some of the variables like ALSA_CARDS are plainly irrelevant for this grub bug, and variables like GENTOO_MIRRORS also contain sensitive information about our network infrastructure, which I'll keep private. If you think any of those are actually relevant, please explain why.
(In reply to comment #8) > If you think any of those are actually relevant, please explain why. Please, everybody calm down. I personally find it much easier to read through an `emerge --info` output if it's unmodifued and everything's at the usual place. I don't see a problem on this configuration, hardened amd64 system (why is there a -arm- in the systems uname?), ccache existent but disabled, latest testing gcc:4.4 (hm?!) and latest testing glibc. @Jaak, please comment the full `emerge --info` output to match the rules. Michael
I don't see this problem on my system, differences: gentoo-sources, baselayout-2, amd processor, even with you aggressive CFLAGS (-O3) or on gcc-4.5. I have no idea what's could lead to this problem. Portage 2.1.8.3 (default/linux/amd64/10.0, gcc-4.4.4, glibc-2.11.2-r0, 2.6.34-gentoo-r2-pandora.0 x86_64) ================================================================= System uname: Linux-2.6.34-gentoo-r2-pandora.0-x86_64-AMD_Phenom-tm-_II_X4_920_Processor-with-gentoo-2.0.1 Timestamp of tree: Tue, 03 Aug 2010 07:45:01 +0000 distcc 3.1 x86_64-pc-linux-gnu [disabled] ccache version 2.4 [disabled] app-shells/bash: 4.0_p37 dev-java/java-config: 2.1.11 dev-lang/python: 2.6.5-r3, 3.1.2-r4 dev-util/ccache: 2.4-r7 dev-util/cmake: 2.6.4-r3 sys-apps/baselayout: 2.0.1 sys-apps/openrc: 0.6.1-r1 sys-apps/sandbox: 1.6-r2 sys-devel/autoconf: 2.13, 2.65 sys-devel/automake: 1.4_p6-r1, 1.9.6-r3, 1.10.3, 1.11.1 sys-devel/binutils: 2.20.1-r1 sys-devel/gcc: 4.3.4, 4.4.4-r1, 4.5.0 sys-devel/gcc-config: 1.4.1 sys-devel/libtool: 2.2.6b virtual/os-headers: 2.6.34 ACCEPT_KEYWORDS="amd64" ACCEPT_LICENSE="* -@EULA" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-O3 -pipe -march=native -ggdb -floop-interchange -floop-strip-mine -floop-block" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/X11/xkb /usr/share/config /var/lib/hsqldb" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/eselect/postgresql /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c" CXXFLAGS="-O3 -pipe -march=native -ggdb -floop-interchange -floop-strip-mine -floop-block" DISTDIR="/usr/portage/distfiles" EMERGE_DEFAULT_OPTS="--binpkg-respect-use y" FEATURES="assume-digests distlocks fixpackages news parallel-fetch protect-owned sandbox sfperms strict unmerge-logs unmerge-orphans userfetch" GENTOO_MIRRORS="http://ftp.uni-erlangen.de/pub/mirrors/gentoo/" LANG="en_US.UTF-8" LDFLAGS="-Wl,-O1 -Wl,--as-needed" LINGUAS="de en en_US" MAKEOPTS="-j8" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage /var/lib/layman/xmw /var/lib/layman/gnome /var/lib/layman/science /var/lib/layman/sunrise /var/lib/layman/gnome-live" SYNC="rsync://rsync9.de.gentoo.org/gentoo-portage/" USE="3dnow X a52 aac aalib acl alsa amd64 ao apache2 bash-completion berkdb bluetooth bzip2 cairo cdda cddb cdparanoia cdr cgi cli consolekit cracklib crypt ctype cups curl cxx dbus dga djvu dri dts dv dvb dvd dvdr dvdread encode exif faac faad fbcon ffmpeg fftw flac fontconfig fortran gdbm gif gimp glut gnome gnome-keyring gnutls gphoto2 gpm gs gstreamer gtk gtk3 iconv id3tag ieee1394 imagemagick introspection ipod ipv6 java java6 jbig joystick jpeg jpeg2k lame latex lcms libnotify libsamplerate lm_sensors lzma lzo mad mikmod mmap mmx mng modules mp3 mpeg mpi mplayer mudflap multilib mysql nas nautilus ncurses nls nptl nptlonly nsplugin ogg openal openexr opengl openmp pam pch pcre pdf perl png policykit postgres pppd python quicktime raw readline reflection rle samba sdl session smp speex spell spl sqlite sse sse2 ssl subversion svg symlink sysfs syslog taglib tcl tcpd theora threads tiff tk truetype unicode upnp usb vhosts vim-syntax vorbis wavpack webkit x264 xcb xine xinerama xml xorg xscreensaver xulrunner xv xvid zlib" ALSA_CARDS="intel-hda" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="de en en_US" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="nouveau nvidia" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" Unset: CPPFLAGS, CTARGET, FFLAGS, INSTALL_MASK, LC_ALL, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
(In reply to comment #9) > (In reply to comment #8) > I don't see a problem on this configuration, hardened amd64 system (why is > there a -arm- in the systems uname?), ccache existent but disabled, latest > testing gcc:4.4 (hm?!) and latest testing glibc. CONFIG_LOCALVERSION="-arm" is in kernel config and sys-libs/glibc-2.11.2 appears as latest stable. > @Jaak, please comment the full `emerge --info` output to match the rules. I'm sorry, but cant - policies. I could try it on a different machine, and paste "emerge --info" from that, but it could take a long while. I'm 95% sure that the stuff I filtered out doesn't matter. Either way, I ended up debugging the issue and found that strerror(errno) was "Operation not permitted". And I found the following in dmesg: [10654.522474] grsec: denied resource overstep by requesting 4096 for RLIMIT_CORE against limit 0 for /sbin/grub[grub:17491] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:13850] uid/euid:0/0 gid/egid:0/0
(In reply to comment #11) > > @Jaak, please comment the full `emerge --info` output to match the rules. > I'm sorry, but cant - policies. so we can't help you. > Either way, I ended up debugging the issue and found that strerror(errno) was > "Operation not permitted". And I found the following in dmesg: > > [10654.522474] grsec: denied resource overstep by requesting 4096 for > RLIMIT_CORE against limit 0 for /sbin/grub[grub:17491] uid/euid:0/0 > gid/egid:0/0, parent /bin/bash[bash:13850] uid/euid:0/0 gid/egid:0/0 So, this is a hardened issue! Reso/Invalid or can we do something about it?
(In reply to comment #12) > (In reply to comment #11) > > > @Jaak, please comment the full `emerge --info` output to match the rules. > > I'm sorry, but cant - policies. > so we can't help you. > > > Either way, I ended up debugging the issue and found that strerror(errno) was > > "Operation not permitted". And I found the following in dmesg: > > > > [10654.522474] grsec: denied resource overstep by requesting 4096 for > > RLIMIT_CORE against limit 0 for /sbin/grub[grub:17491] uid/euid:0/0 > > gid/egid:0/0, parent /bin/bash[bash:13850] uid/euid:0/0 gid/egid:0/0 > So, this is a hardened issue! > > Reso/Invalid or can we do something about it? > That's not a hardened problem.. It just says that there is no limit defined for coredumps. So that's not an error, set "ulimit -c ..." and you'll get a coredump.
It's definitly a PAX-related problem. paxctl -m /sbin/grub makes grub work again.
(In reply to comment #14) > It's definitly a PAX-related problem. > > paxctl -m /sbin/grub > > makes grub work again. > PAX just triggers the bug in Grub. Grub's source code doesn't properly handle the valid error return value from the mmap (man 2 mmap) function. Grub should gracefully exit instead of asserting at grub/asmstub.c:215. From the man-page of assert (man 3 assert): The purpose of this macro is to help the programmer find bugs in his program. The message "assertion failed in file foo.c, function do_bar(), line 1287" is of no help at all to a user. So if the assert statement in Grub is actually meant to catch mmap errors, its definately a misuse of the assert macro.
(In reply to comment #15) > (In reply to comment #14) > > It's definitly a PAX-related problem. > > > > paxctl -m /sbin/grub > > > > makes grub work again. > > > PAX just triggers the bug in Grub. Grub's source code doesn't properly handle > the valid error return value from the mmap (man 2 mmap) function. Grub should > gracefully exit instead of asserting at grub/asmstub.c:215. > From the man-page of assert (man 3 assert): > The purpose of this macro is to help the programmer find bugs in his > program. The message "assertion failed in file foo.c, function do_bar(), line > 1287" is of no help at all to a user. > So if the assert statement in Grub is actually meant to catch mmap errors, its > definately a misuse of the assert macro. As I understand, grub tries to allocate executable memory: mmap2(NULL, 6303744, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = -1 EPERM (Operation not permitted) That is rightfully denied by PAX, but would have worked if PAX would not be present. Failures of memory allocation are often enclosed in assert()s by programers - their condition very rarely trigger at all. In that way it's a bug of grub (because it shouldn't need executable memory at all), but it's only hardened-related. grub will work in non-PAX environments.
(In reply to comment #16) > That is rightfully denied by PAX, but would have worked if PAX would not be > present. Failures of memory allocation are often enclosed in assert()s by > programers - their condition very rarely trigger at all. > > In that way it's a bug of grub (because it shouldn't need executable memory at > all), but it's only hardened-related. grub will work in non-PAX environments. Would it have worked? I don't see it as 100% certain that mmap never returns -1 EAGAIN, -1 ENOMEM or something similar (see ERRORS in man 2 mmap). Yet Grub wrongly assumes the mmap call never returns with an error.
I really don't see your point here. Do you think it would help if grub would have failed with an error message like "memory allocation failed!" or something like that, instead of an assert()? It would not work either way, because PAX denies executable memory. grub does NOT ignore the error condition of mmap(), it just does not output a nice error, which is, at least for me, absolutly low priority. Just 'paxctl -m /sbin/grub' for the moment, and you'll see that it works... Let's focus on fixing the bug, please.
(In reply to comment #18) > I really don't see your point here. > > Do you think it would help if grub would have failed with an error message like > "memory allocation failed!" or something like that, instead of an assert()? It > would not work either way, because PAX denies executable memory. grub does NOT > ignore the error condition of mmap(), it just does not output a nice error, > which is, at least for me, absolutly low priority. Yes, I think it would help if grub would have failed with an error message like "mmap() failed: Permission denied". I would immediately have remembered that I'm on hardened, and I would have checked the appropriate logs. And if I was running low on memory or had some other error, I'd still get an informative message instead of some cryptic abort "grub: asmstub.c:215: grub_stage2: Assertion `simstack_alloc_base != ((void *) -1)' failed." which tells the average user absolutely nothing. > Just 'paxctl -m /sbin/grub' for the moment, and you'll see that it works... This is still just a workaround for the bug in Grub which doesn't handle mmap() errors as it should.
(In reply to comment #16) > In that way it's a bug of grub (because it shouldn't need executable memory at > all), but it's only hardened-related. grub will work in non-PAX environments. A comment explains why grub developers think it does need to be executable: /* Mark the simulated stack executable, as GCC uses stack trampolines * to implement nested functions. */ return mmap(NULL, len, PROT_READ|PROT_WRITE|PROT_EXEC, mmap_flags, -1, 0); What I don't readily see is what the nested function would be, and if it is still used in the code at all.
grub needs executable maps. you can complain all you want about how this is "wrong", but it is irrelevant as grub isnt changing and we arent going to waste time on rewriting the source. read the upstream docs. we'll add the paxctl cruft to pkg_postinst as for `emerge --info`, dont screw with it. let the developers/wranglers figure out what is relevant.
(In reply to comment #21) > grub needs executable maps. you can complain all you want about how this is > "wrong", but it is irrelevant as grub isnt changing and we arent going to waste > time on rewriting the source. read the upstream docs. > > we'll add the paxctl cruft to pkg_postinst Ok, I'll probably file another bug/patch @ grub about the source, since it is somewhat a different issue. Especially in the light of the source code comment posted here. > as for `emerge --info`, dont screw with it. let the developers/wranglers > figure out what is relevant. I will still censor some stuff like hostnames, network mounts etc. So I guess you just have to deal with it. Sry.
like i said, read the upstream grub documentation. they know about the issue and dont care. too bad `emerge --info` doesnt mention network mounts, and hostname information is irrelevant. anyone who thinks "hiding" dns names == security doesnt have a clue.
(In reply to comment #23) > like i said, read the upstream grub documentation. they know about the issue > and dont care. What documentation exactly? > too bad `emerge --info` doesnt mention network mounts, and hostname information > is irrelevant. anyone who thinks "hiding" dns names == security doesnt have a > clue. I could argue with you for days about why it is not irrelevant. But let's not go off-topic, please.
googling for the obvious "grub executable stack" seems to result in an answer, let alone using the included search function of their wiki i'm glad you agree that dns hiding is stupid
(In reply to comment #25) > googling for the obvious "grub executable stack" seems to result in an answer, > let alone using the included search function of their wiki For other interested parties: the URL is http://grub.enbug.org/NestedFunctions > i'm glad you agree that dns hiding is stupid I don't exactly understand what you mean by "dns hiding", but if you mean what I think you mean by it, then I don't agree 100%.
Please sync and emerge -r10 again to test my fix: + # bug 330745 + pax-mark -m "${D}"/sbin/grub vapier: fyi paxctl stuff goes into src_install w/ the pax-utils eclass, not pkg_postinst.
Re Comment 27: would you kindly commit a grub-static-0.97-r10 ebuild with the same fix?
(In reply to comment #27) > Please sync and emerge -r10 again to test my fix: > + # bug 330745 > + pax-mark -m "${D}"/sbin/grub I am sorry, it still doesn't work for me and I am left clueless as how to fix it. I get this error w/ -r10: * Copying files from /lib/grub, /usr/lib/grub and /usr/share/grub to //boot/grub grub: asmstub.c:215: grub_stage2: Assertion `simstack_alloc_base != ((void *) -1)' failed. /var/tmp/portage/sys-boot/grub-0.97-r10/temp/environment: line 4183: 7932 Done egrep -v '^[[:space:]]*(#|$|default|fallback|initrd|password|splashimage|timeout|title)' "${grub_config}" 7933 Aborted | /sbin/grub --batch --device-map="${dir}"/device.map > /dev/null * Grub has been installed to //boot successfully. But I can see that pax worked during install: castore ~ # which grub /sbin/grub castore ~ # paxctl -v $(which grub) PaX control v0.5 Copyright 2004,2005,2006,2007 PaX Team <pageexec@freemail.hu> - PaX flags: -----m-x-e-- [/sbin/grub] MPROTECT is disabled RANDEXEC is disabled EMUTRAMP is disabled castore ~ # grub grub: asmstub.c:215: grub_stage2: Assertion `simstack_alloc_base != ((void *) -1)' failed. Aborted I don't know what is wrong. I am running a hardened system, this is my emerge --info. Portage 2.1.9.24 (hardened/linux/x86, gcc-4.4.4, glibc-2.11.2-r3, 2.6.32-hardened-r22 i686) ================================================================= System uname: Linux-2.6.32-hardened-r22-i686-AMD_Sempron-TM-_2600+-with-gentoo-2.0.1 Timestamp of tree: Sun, 19 Dec 2010 13:15:01 +0000 distcc 3.1 i686-pc-linux-gnu [disabled] app-shells/bash: 4.1_p7 dev-java/java-config: 2.1.11-r1 dev-lang/python: 2.6.6-r1, 3.1.2-r4 dev-util/cmake: 2.8.1-r2 sys-apps/baselayout: 2.0.1-r1 sys-apps/openrc: 0.6.8 sys-apps/sandbox: 2.4 sys-devel/autoconf: 2.65-r1 sys-devel/automake: 1.10.2, 1.11.1 sys-devel/binutils: 2.20.1-r1 sys-devel/gcc: 4.4.4-r2 sys-devel/gcc-config: 1.4.1 sys-devel/libtool: 2.2.10 sys-devel/make: 3.81-r2 virtual/os-headers: 2.6.30-r1 (sys-kernel/linux-headers) ACCEPT_KEYWORDS="x86" ACCEPT_LICENSE="* -@EULA dlj-1.1" ACCEPT_PROPERTIES="*" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1 emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" ANT_HOME="/usr/share/ant" APACHE2_MODULES="access auth auth_basic authn_file authz_host authz_user alias filter deflate ssl cgid rewrite log_config logio setenvif mime negotiation dir actions so" APACHE2_MPMS="worker" ARCH="x86" AUTOCLEAN="yes" CBUILD="i686-pc-linux-gnu" CFLAGS="-O2 -march=athlon-xp -pipe -fomit-frame-pointer" CHOST="i686-pc-linux-gnu" CLEAN_DELAY="5" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" COLLISION_IGNORE="/lib/modules" CONFIG_PROTECT="/etc" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/gconf /etc/gentoo-release /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo" CVS_RSH="ssh" CXXFLAGS="-O2 -march=athlon-xp -pipe -fomit-frame-pointer" DCCC_PATH="/usr/lib/distcc/bin" DISTCC_LOG="" DISTCC_VERBOSE="0" DISTDIR="/usr/portage/distfiles" EDITOR="/bin/nano" ELIBC="glibc" EMERGE_DEFAULT_OPTS="--verbose --ask" EMERGE_WARNING_DELAY="10" EPREFIX="" EROOT="/" FEATURES="assume-digests binpkg-logs distlocks fixlafiles fixpackages metadata-transfer news parallel-fetch protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch" FETCHCOMMAND="/usr/bin/wget -t 3 -T 60 --passive-ftp -O "${DISTDIR}/${FILE}" "${URI}"" FETCHCOMMAND_RSYNC="rsync -avP "${URI}" "${DISTDIR}/${FILE}"" FETCHCOMMAND_SFTP="bash -c "x=\${2#sftp://} ; exec sftp \"\${x%%/*}:/\${x#*/}\" \"\$1\"" sftp "${DISTDIR}/${FILE}" "${URI}"" FETCHCOMMAND_SSH="bash -c "x=\${2#ssh://} ; exec rsync -avP \"\${x%%/*}:/\${x#*/}\" \"\$1\"" rsync "${DISTDIR}/${FILE}" "${URI}"" GCC_SPECS="" GENTOO_MIRRORS="http://distfiles.gentoo.org" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" HOME="/root" INFOPATH="/usr/share/info:/usr/share/binutils-data/i686-pc-linux-gnu/2.20.1/info:/usr/share/gcc-data/i686-pc-linux-gnu/4.4.4/info" INPUT_DEVICES="keyboard mouse evdev" JAVAC="/etc/java-config-2/current-system-vm/bin/javac" JAVA_HOME="/etc/java-config-2/current-system-vm" JDK_HOME="/etc/java-config-2/current-system-vm" KERNEL="linux" LANG="en_US.UTF-8" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LDFLAGS="-Wl,-O1 -Wl,--as-needed" LESS="-R -M --shift 5" LESSOPEN="|lesspipe.sh %s" LOGNAME="root" LS_COLORS="rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=01;05;37;41:mi=01;05;37;41:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arj=01;31:*.taz=01;31:*.lzh=01;31:*.lzma=01;31:*.tlz=01;31:*.txz=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.dz=01;31:*.gz=01;31:*.lz=01;31:*.xz=01;31:*.bz2=01;31:*.bz=01;31:*.tbz=01;31:*.tbz2=01;31:*.tz=01;31:*.deb=01;31:*.rpm=01;31:*.jar=01;31:*.rar=01;31:*.ace=01;31:*.zoo=01;31:*.cpio=01;31:*.7z=01;31:*.rz=01;31:*.jpg=01;35:*.jpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.svg=01;35:*.svgz=01;35:*.mng=01;35:*.pcx=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=01;35:*.m2v=01;35:*.mkv=01;35:*.ogm=01;35:*.mp4=01;35:*.m4v=01;35:*.mp4v=01;35:*.vob=01;35:*.qt=01;35:*.nuv=01;35:*.wmv=01;35:*.asf=01;35:*.rm=01;35:*.rmvb=01;35:*.flc=01;35:*.avi=01;35:*.fli=01;35:*.flv=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:*.xwd=01;35:*.yuv=01;35:*.cgm=01;35:*.emf=01;35:*.axv=01;35:*.anx=01;35:*.ogv=01;35:*.ogx=01;35:*.pdf=00;32:*.ps=00;32:*.txt=00;32:*.patch=00;32:*.diff=00;32:*.log=00;32:*.tex=00;32:*.doc=00;32:*.aac=00;36:*.au=00;36:*.flac=00;36:*.mid=00;36:*.midi=00;36:*.mka=00;36:*.mp3=00;36:*.mpc=00;36:*.ogg=00;36:*.ra=00;36:*.wav=00;36:*.axa=00;36:*.oga=00;36:*.spx=00;36:*.xspf=00;36:" MAKEOPTS="-j3" MANPATH="/etc/java-config-2/current-system-vm/man:/usr/local/share/man:/usr/share/man:/usr/share/binutils-data/i686-pc-linux-gnu/2.20.1/man:/usr/share/gcc-data/i686-pc-linux-gnu/4.4.4/man:/etc/java-config/system-vm/man/:/usr/lib/php5/man/" NETBEANS="apisupport cnd groovy gsf harness ide identity j2ee java mobility nb php profiler soa visualweb webcommon websvccommon xml" NOCOLOR="true" OLDPWD="/usr/myportage" PAGER="/usr/bin/less" PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin:/usr/i686-pc-linux-gnu/gcc-bin/4.4.4" PHP_TARGETS="php5-2" PKGDIR="/usr/portage/packages" PORTAGE_ARCHLIST="ppc sparc64-freebsd ppc-openbsd x86-openbsd ppc64 x86-winnt x86-fbsd ppc-aix alpha arm x86-freebsd s390 amd64 arm-linux x86-macos x64-openbsd ia64-hpux hppa x86-netbsd x86-cygwin amd64-linux ia64-linux x86 sparc-solaris x64-freebsd sparc64-solaris x86-linux x64-macos sparc m68k-mint ia64 mips ppc-macos x86-interix hppa-hpux amd64-fbsd x64-solaris mips-irix m68k sh x86-solaris sparc-fbsd" PORTAGE_BINHOST_CHUNKSIZE="3000" PORTAGE_BIN_PATH="/usr/lib/portage/bin" PORTAGE_COMPRESS_EXCLUDE_SUFFIXES="css gif htm[l]? jp[e]?g js pdf png" PORTAGE_CONFIGROOT="/" PORTAGE_DEBUG="0" PORTAGE_DEPCACHEDIR="/var/cache/edb/dep" PORTAGE_ELOG_CLASSES="warn error log" PORTAGE_ELOG_MAILFROM="portage@localhost" PORTAGE_ELOG_MAILSUBJECT="[portage] ebuild log for ${PACKAGE} on ${HOST}" PORTAGE_ELOG_MAILURI="root" PORTAGE_ELOG_SYSTEM="save_summary" PORTAGE_FETCH_CHECKSUM_TRY_MIRRORS="5" PORTAGE_FETCH_RESUME_MIN_SIZE="350K" PORTAGE_GID="250" PORTAGE_INST_GID="0" PORTAGE_INST_UID="0" PORTAGE_PYM_PATH="/usr/lib/portage/pym" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_RSYNC_RETRIES="-1" PORTAGE_SANDBOX_COMPAT_LEVEL="16" PORTAGE_SYNC_STALE="30" PORTAGE_TMPDIR="/var/tmp" PORTAGE_TMPFS="/dev/shm" PORTAGE_VERBOSE="1" PORTAGE_WORKDIR_MODE="0700" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/myportage" PROFILE_ONLY_VARIABLES="ARCH ELIBC KERNEL USERLAND" PWD="/root" PYTHONDONTWRITEBYTECODE="1" RESUMECOMMAND="/usr/bin/wget -c -t 3 -T 60 --passive-ftp -O "${DISTDIR}/${FILE}" "${URI}"" RESUMECOMMAND_RSYNC="rsync -avP "${URI}" "${DISTDIR}/${FILE}"" RESUMECOMMAND_SSH="bash -c "x=\${2#ssh://} ; exec rsync -avP \"\${x%%/*}:/\${x#*/}\" \"\$1\"" rsync "${DISTDIR}/${FILE}" "${URI}"" ROOT="/" ROOTPATH="/opt/bin:/usr/i686-pc-linux-gnu/gcc-bin/4.4.4" RPMDIR="/usr/portage/rpm" RUBY_TARGETS="ruby18" SHELL="/bin/bash" SHLVL="2" STAGE1_USE="hardened nptl nptlonly pic" STY="24042.emerge" SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage" TERM="screen" TERMCAP="SC|screen|VT 100/ANSI X3.64 virtual terminal:\ :DO=\E[%dB:LE=\E[%dD:RI=\E[%dC:UP=\E[%dA:bs:bt=\E[Z:\ :cd=\E[J:ce=\E[K:cl=\E[H\E[J:cm=\E[%i%d;%dH:ct=\E[3g:\ :do=^J:nd=\E[C:pt:rc=\E8:rs=\Ec:sc=\E7:st=\EH:up=\EM:\ :le=^H:bl=^G:cr=^M:it#8:ho=\E[H:nw=\EE:ta=^I:is=\E)0:\ :li#24:co#80:am:xn:xv:LP:sr=\EM:al=\E[L:AL=\E[%dL:\ :cs=\E[%i%d;%dr:dl=\E[M:DL=\E[%dM:dc=\E[P:DC=\E[%dP:\ :im=\E[4h:ei=\E[4l:mi:IC=\E[%d@:ks=\E[?1h\E=:\ :ke=\E[?1l\E>:vi=\E[?25l:ve=\E[34h\E[?25h:vs=\E[34l:\ :ti=\E[?1049h:te=\E[?1049l:us=\E[4m:ue=\E[24m:so=\E[3m:\ :se=\E[23m:md=\E[1m:mr=\E[7m:me=\E[m:ms:\ :Co#8:pa#64:AF=\E[3%dm:AB=\E[4%dm:op=\E[39;49m:AX:\ :as=\E(0:ae=\E(B:\ :ac=\140\140aaffggjjkkllmmnnooppqqrrssttuuvvwwxxyyzz{{||}}~~..--++,,hhII00:\ :k0=\E[10~:k1=\EOP:k2=\EOQ:k3=\EOR:k4=\EOS:k5=\E[15~:\ :k6=\E[17~:k7=\E[18~:k8=\E[19~:k9=\E[20~:k;=\E[21~:\ :F1=\E[23~:F2=\E[24~:F3=\E[25~:F4=\E[26~:F5=\E[28~:\ :F6=\E[29~:F7=\E[31~:F8=\E[32~:F9=\E[33~:FA=\E[34~:\ :kb=^H:kh=\E[1~:@1=\E[1~:kH=\E[4~:@7=\E[4~:kN=\E[6~:\ :kP=\E[5~:kI=\E[2~:kD=\E[3~:ku=\EOA:kd=\EOB:kr=\EOC:\ :kl=\EOD:km:" USE="3dnow 3dnowext acl acpi apache2 bash-completion berkdb bzip2 cli cracklib crypt cups cxx dri dvdr gdbm hardened iconv mmx mmxext modules ncurses nls nptl nptlonly pam pcre pic pppd readline session sse ssl sysfs unicode urandom x86 xorg zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1 emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="access auth auth_basic authn_file authz_host authz_user alias filter deflate ssl cgid rewrite log_config logio setenvif mime negotiation dir actions so" APACHE2_MPMS="worker" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" PHP_TARGETS="php5-2" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="apm ark chips cirrus cyrix dummy fbdev glint i128 i740 intel mach64 mga neomagic nsc nv r128 radeon rendition s3 s3virge savage siliconmotion sis sisusb tdfx tga trident tseng v4l vesa via vmware voodoo" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" USER="root" USERLAND="GNU" USE_EXPAND="ALSA_CARDS ALSA_PCM_PLUGINS APACHE2_MODULES APACHE2_MPMS CAMERAS COLLECTD_PLUGINS CROSSCOMPILE_OPTS DVB_CARDS ELIBC FCDSL_CARDS FOO2ZJS_DEVICES FRITZCAPI_CARDS GPSD_PROTOCOLS INPUT_DEVICES KERNEL LCD_DEVICES LINGUAS LIRC_DEVICES MISDN_CARDS NETBEANS_MODULES NGINX_MODULES_HTTP NGINX_MODULES_MAIL PHP_TARGETS QEMU_SOFTMMU_TARGETS QEMU_USER_TARGETS RUBY_TARGETS SANE_BACKENDS USERLAND VIDEO_CARDS XFCE_PLUGINS XTABLES_ADDONS" USE_EXPAND_HIDDEN="CROSSCOMPILE_OPTS ELIBC KERNEL USERLAND" USE_ORDER="env:pkg:conf:defaults:pkginternal:env.d" VIDEO_CARDS="apm ark chips cirrus cyrix dummy fbdev glint i128 i740 intel mach64 mga neomagic nsc nv r128 radeon rendition s3 s3virge savage siliconmotion sis sisusb tdfx tga trident tseng v4l vesa via vmware voodoo" WINDOW="0" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" XZ_OPT="--memory=max" _="/usr/bin/emerge" And this is /var/log/portage/elog/summary.log castore ~ # less /var/log/portage/elog/summary.log >>> Messages generated by process 2072 on 2010-12-20 08:42:28 CET for package sys-boot/grub-0.97-r10: LOG: prerm To avoid automounting and auto(un)installing with /boot, just export the DONT_MOUNT_BOOT variable. >>> Messages generated by process 2072 on 2010-12-20 08:42:38 CET for package sys-boot/grub-0.97-r10: LOG: install PT PaX marking -m /var/tmp/portage/sys-boot/grub-0.97-r10/image//sbin/grub LOG: preinst To avoid automounting and auto(un)installing with /boot, just export the DONT_MOUNT_BOOT variable. WARN: postinst *** IMPORTANT NOTE: you must run grub and install the new version's stage1 to your MBR. Until you do, stage1 and stage2 will still be the old version, but later stages will be the new version, which could cause problems such as an unbootable system. This means you must use either grub-install or perform root/setup manually! For more help, see the handbook: http://www.gentoo.org/doc/en/handbook/handbook-x86.xml?part=1&chap=10#grub-install-auto LOG: postinst To interactively install grub files to another device such as a USB stick, just run the following and specify the directory as prompted: emerge --config =grub-0.97-r10 Alternately, you can export GRUB_ALT_INSTALLDIR=/path/to/use to tell grub where to install in a non-interactive way. castore ~ # emerge grub -pv These are the packages that would be merged, in order: Calculating dependencies... done! [ebuild R ] sys-boot/grub-0.97-r10 USE="ncurses -custom-cflags -netboot -static" 0 kB Total: 1 package (1 reinstall), Size of downloads: 0 kB Thanks for your help
In my opinion this fix opens security issues. Those pax-flags for the grub-binary may allow an attacker to exploit bugs in the grub binary and to compromise the system, or boot-record. I am not 100% sure, but didn't we have a better solution for it, earlier? As I can remember, zorry had once grub in his hardened-toolchain overlay and solved it without pax-flags. >just my 2 cents<
