Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 920344 - www-apps/gitea: os.Executable: readlink /proc/self/exe: permission denied
Summary: www-apps/gitea: os.Executable: readlink /proc/self/exe: permission denied
Status: UNCONFIRMED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal minor
Assignee: Ryan Tsien
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2023-12-20 01:01 UTC by Nuno
Modified: 2023-12-20 03:32 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Nuno 2023-12-20 01:01:13 UTC 
I sometimes get this error in gitea.log:

> 2023/12/19 23:32:50 ...meutil/executable.go:25:func1() [E] [65822822] os.Executable: readlink /proc/self/exe: permission denied

Gitea is running as user git and the binary has the following permissions:

> -rwx--x--x 1 root root 90342852 Jun 24 14:45 /usr/bin/gitea

I think this is caused by the 711 mode in FILECAPS:

> FILECAPS=(
> 	-m 711 cap_net_bind_service+ep usr/bin/gitea
> )

https://github.com/gentoo/gentoo/blob/1c1b611cae19413da1e0428f3973ccbdd28a089b/www-apps/gitea/gitea-1.19.3.ebuild#L37

This seems to have changed from 0755 in gitea-1.14.6.ebuild to 711 in gitea-1.15.2.ebuild:

https://github.com/gentoo/gentoo/blob/db88b1580/www-apps/gitea/gitea-1.14.6.ebuild#L39
https://github.com/gentoo/gentoo/blob/db88b1580/www-apps/gitea/gitea-1.15.2.ebuild#L38

and is still set to 711 in the most recent ebuild:

https://github.com/gentoo/gentoo/blob/4da57ad96e0c8/www-apps/gitea/gitea-1.21.2.ebuild#L38

I'm using:

> Portage 3.0.45.3 (python 3.11.3-final-0, default/linux/arm/17.0/armv7a, gcc-12, glibc-2.36-r7, 3.4.104-sunxi-g1df3de8e armv7l)
> 
> www-apps/gitea-1.19.3::gentoo was built with the following:
> USE="acct filecaps -pam -pie -sqlite"
> CFLAGS="-O2 -pipe -mfloat-abi=hard -mtls-dialect=gnu -march=armv7-a"
> CXXFLAGS="-O2 -pipe -mfloat-abi=hard -mtls-dialect=gnu -march=armv7-a"
> FEATURES="assume-digests binpkg-docompress binpkg-dostrip binpkg-logs binpkg-multi-instance buildpkg buildpkg-live compress-index compressdebug config-protect-if-modified distlocks ebuild-locks fixlafiles ipc-sandbox merge-sync multilib-strict network-sandbox news parallel-fetch preserve-libs protect-owned qa-unresolved-soname-deps sandbox sfperms splitdebug strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr"

Did not test with the most recent ebuild but if needed I'll report back once I upgrade.
Comment 1 Ryan Tsien 2023-12-20 03:00:03 UTC 
Hi, Nuno!

The option `-m 711` or `-m 755` only affects binary permissions if the filecaps USE is disabled or setcaps is failed, if there is no error message like `Could not set caps balabala..` or `Setting caps .. on.. failed: balabala..` appears when installing gitea, this option can be completely ignored.

Normally, we use the default mode 711 (caps_mode) from fcaps.eclass to set the binary permissions, and the read permission is unnecessary when executing binaries.

I'm not sure if we should change the default binary mode to 755 with `-M 755`, it seems harmless but unnecessary, I guess the problem should be elsewhere.