Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 115651

Summary: sandbox: whitelist /dev/stderr, stdin, stdout
Product: Portage Development Reporter: Ed Catmur <ed>
Component: SandboxAssignee: Portage team <dev-portage>
Status: RESOLVED FIXED    
Severity: normal    
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://forums.gentoo.org/viewtopic-t-412311-start-0-postdays-0-postorder-asc-highlight-.html
See Also: https://bugs.gentoo.org/show_bug.cgi?id=922960
Whiteboard:
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 115839    

Description Ed Catmur 2005-12-15 06:09:35 UTC
As well as the linked URL, there have on the forums been sporadic instances of
ebuilds borking with sandbox vios on /dev/stderr. It's difficult to tell what is
trying to write to /dev/stderr, but adding addwrite /dev/stderr to
/etc/portage/bashrc lets the ebuild complete, suggesting it can't be anything
important.

I suggest sandbox should whitelist /dev/std{in,out,err}. It can't hurt, right?
Comment 1 SpanKY gentoo-dev 2005-12-15 06:50:38 UTC
it isnt sporadic at all, everyone who is seeing /dev/stderr sandbox
errors have not updated their portage tree, the bug has been fixed in
the eclass already
Comment 2 Zac Medico gentoo-dev 2005-12-15 10:16:58 UTC
When I was troubleshooting bug 115434 I noticed that redirection to /dev/stderr
(flag-o-matic.eclass, for example) results in "Permission denied" errors when
FEATURES="userpriv" is enabled (not because of sandbox, but because of dropped
privileges.

This leads me to wonder why flag-o-matic.eclass doesn't use >&2 instead of
>/dev/stderr, since >&2 seems to work with with dropped privileges while
>/dev/stderr does not.
Comment 3 Jason Stubbs (RETIRED) gentoo-dev 2005-12-21 07:54:17 UTC
Apparently there's some kernel magic that redirects /dev/std{in,out,err}.. I kind of wonder what's there when those files are closed. Someone more knowledgeable than me: are these safe to add for the general case?
Comment 4 SpanKY gentoo-dev 2005-12-21 07:57:52 UTC
yes
Comment 5 Jason Stubbs (RETIRED) gentoo-dev 2005-12-21 08:10:32 UTC
Done. :)
Comment 6 Jason Stubbs (RETIRED) gentoo-dev 2005-12-25 00:09:17 UTC
Released in 2.1_pre2.