462136 – sys-apps/portage-2.2.0_alpha166: Permissions for $TMPDIR - group-writable directory?

Bug 462136 - sys-apps/portage-2.2.0_alpha166: Permissions for $TMPDIR - group-writable directory?

Summary: sys-apps/portage-2.2.0_alpha166: Permissions for $TMPDIR - group-writable dir...

Status:	RESOLVED INVALID

Alias:	None

Product:	Portage Development
Classification:	Unclassified
Component:	Core (show other bugs)
Hardware:	All Linux

Importance:	Normal enhancement
Assignee:	Portage team

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2013-03-18 04:08 UTC by Dennis Schridde
Modified:	2014-10-17 21:32 UTC (History)
CC List:	0 users

See Also:	470688
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Dennis Schridde 2013-03-18 04:08:41 UTC

TMPDIR is currently set to /var/tmp/portage/$CATEGORY/$P/temp during emerge. This directory is created group writeable.

I have setup my hardened kernel to deny exec in untrusted directories. Thus it prevents execution of scripts there:
grsec: From 127.0.0.6: denied untrusted exec (due to file in group-writable directory) of /var/tmp/portage/media-video/ffmpeg-0.10.6/temp/ffconf.ZLmMqQZ9.sh by /var/tmp/portage/media-video/ffmpeg-0.10.6/temp/ffconf.ZLmMqQZ9.sh[configure:1251] uid/euid:250/250 gid/egid:250/250, parent /var/tmp/portage/media-video/ffmpeg-0.10.6/work/ffmpeg-0.10.6/configure[configure:772] uid/euid:250/250 gid/egid:250/250

Is it possible / sensible to remove group-write access from that directory (i.e. $TMPDIR)? Is there a valid usecase for the portage group writing to the ./temp dir?

Reproducible: Always

Comment 1 Dennis Schridde 2013-03-18 04:35:39 UTC

(In reply to comment #0)
> I have setup my hardened kernel to deny exec in untrusted directories.

I thought this was related to TPE, but the hardened kernel seems to do this for all users (I excluded the portage user from TPE using GRKERNSEC_TPE_TRUSTED_GID). Thus I assume this problem affects all hardened users.

Comment 2 Zac Medico gentoo-dev

2013-03-18 04:39:54 UTC

The "portage" group is considered trusted. It's intended to grant write access to trusted users. For example, a trusted user might call ebuild(1) with sudo just for specific phases like pkg_setup that need special privileges, and then call ebuild(1) again without sudo. In this case, belonging to the "portage" group grants the necessary privileges to do this. It's also used to grant access to the special "portage" user that's used to implement FEATURES=userpriv.

No untrusted users should be added to the "portage" group. We have a warning about this, as shown in bug 149062, comment #15.

Comment 3 Dennis Schridde 2013-03-18 05:38:51 UTC

(In reply to comment #2)
> The "portage" group is considered trusted. It's intended to grant write
> access to trusted users.

Thanks for that explanation. So I need to figure out why the hardened kernel enforces no-group-writability here. I'll report back once I know.

Comment 4 Dennis Schridde 2013-03-18 06:04:32 UTC

After reading the grsec patch it became obvious: The issue stems from a misunderstanding of the CONFIG_GRKERNSEC_TPE_ALL option.

Comment 5 Anthony Basile gentoo-dev

2014-10-17 21:32:18 UTC

(In reply to Dennis Schridde from comment #4)
> After reading the grsec patch it became obvious: The issue stems from a
> misunderstanding of the CONFIG_GRKERNSEC_TPE_ALL option.

Not exactly invalid, but we don't have to reopen this.  Take a look at the solution in bug #519566.