Bug 254914

Summary:	net-analyzer/metasploit-3.1_p5699-r1 fails to install due to sandbox symlink violations (chown -R)
Product:	Portage Development	Reporter:	Mike Auty (RETIRED) <ikelos>
Component:	Sandbox	Assignee:	Sandbox Maintainers <sandbox>
Status:	RESOLVED FIXED
Severity:	normal	CC:	jswitzer, martin, netmon
Priority:	High
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:
Package list:		Runtime testing required:	---

Description Mike Auty (RETIRED) gentoo-dev

2009-01-14 00:17:02 UTC

Hiya guys,

Just tried rebuilding metasploit, and it looks like something got tightened up in a recent portage/sandbox.  I'm using userpriv, and metasploit's trying to chown to root, however I was fairly sure this used to work.  Any idea what's going on?

>>> Install metasploit-3.1_p5699-r1 into /var/tmp/portage/net-analyzer/metasploit-3.1_p5699-r1/image/ category net-analyzer
ACCESS DENIED  fchownat:  /proc/21464/fd/6/msfd3
chown: changing ownership of `/var/tmp/portage/net-analyzer/metasploit-3.1_p5699-r1/image/usr/bin/msfd3': Permission denied
ACCESS DENIED  fchownat:  /proc/21464/fd/6/msfencode3
chown: changing ownership of `/var/tmp/portage/net-analyzer/metasploit-3.1_p5699-r1/image/usr/bin/msfencode3': Permission denied
ACCESS DENIED  fchownat:  /proc/21464/fd/6/msfcli3
chown: changing ownership of `/var/tmp/portage/net-analyzer/metasploit-3.1_p5699-r1/image/usr/bin/msfcli3': Permission denied
ACCESS DENIED  fchownat:  /proc/21464/fd/6/msfgui3
chown: changing ownership of `/var/tmp/portage/net-analyzer/metasploit-3.1_p5699-r1/image/usr/bin/msfgui3': Permission denied
ACCESS DENIED  fchownat:  /proc/21464/fd/6/msfweb3
chown: changing ownership of `/var/tmp/portage/net-analyzer/metasploit-3.1_p5699-r1/image/usr/bin/msfweb3': Permission denied
ACCESS DENIED  fchownat:  /proc/21464/fd/6/msfpayload3
chown: changing ownership of `/var/tmp/portage/net-analyzer/metasploit-3.1_p5699-r1/image/usr/bin/msfpayload3': Permission denied
ACCESS DENIED  fchownat:  /proc/21464/fd/6/msfconsole3
chown: changing ownership of `/var/tmp/portage/net-analyzer/metasploit-3.1_p5699-r1/image/usr/bin/msfconsole3': Permission denied
ACCESS DENIED  fchownat:  /proc/21464/fd/6/msfopcode3
chown: changing ownership of `/var/tmp/portage/net-analyzer/metasploit-3.1_p5699-r1/image/usr/bin/msfopcode3': Permission denied
ACCESS DENIED  fchownat:  /proc/21464/fd/6/msfpescan3
chown: changing ownership of `/var/tmp/portage/net-analyzer/metasploit-3.1_p5699-r1/image/usr/bin/msfpescan3': Permission denied
>>> Completed installing metasploit-3.1_p5699-r1 into /var/tmp/portage/net-analyzer/metasploit-3.1_p5699-r1/image/

--------------------------- ACCESS VIOLATION SUMMARY ---------------------------
LOG FILE "/var/log/sandbox/sandbox-21362.log"

VERSION 1.0
FORMAT: F - Function called
FORMAT: S - Access Status
FORMAT: P - Path as passed to function
FORMAT: A - Absolute Path (not canonical)
FORMAT: R - Canonical Path
FORMAT: C - Command Line

F: fchownat
S: deny
P: /proc/21464/fd/6/msfd3
A: /proc/21464/fd/6/msfd3
R: /usr/lib/metasploit3/msfd
C: chown -R root:0 /var/tmp/portage/net-analyzer/metasploit-3.1_p5699-r1/image/ 

F: fchownat
S: deny
P: /proc/21464/fd/6/msfencode3
A: /proc/21464/fd/6/msfencode3
R: /usr/lib/metasploit3/msfencode
C: chown -R root:0 /var/tmp/portage/net-analyzer/metasploit-3.1_p5699-r1/image/ 

F: fchownat
S: deny
P: /proc/21464/fd/6/msfcli3
A: /proc/21464/fd/6/msfcli3
R: /usr/lib/metasploit3/msfcli
C: chown -R root:0 /var/tmp/portage/net-analyzer/metasploit-3.1_p5699-r1/image/ 

F: fchownat
S: deny
P: /proc/21464/fd/6/msfgui3
A: /proc/21464/fd/6/msfgui3
R: /usr/lib/metasploit3/msfgui
C: chown -R root:0 /var/tmp/portage/net-analyzer/metasploit-3.1_p5699-r1/image/ 

F: fchownat
S: deny
P: /proc/21464/fd/6/msfweb3
A: /proc/21464/fd/6/msfweb3
R: /usr/lib/metasploit3/msfweb
C: chown -R root:0 /var/tmp/portage/net-analyzer/metasploit-3.1_p5699-r1/image/ 

F: fchownat
S: deny
P: /proc/21464/fd/6/msfpayload3
A: /proc/21464/fd/6/msfpayload3
R: /usr/lib/metasploit3/msfpayload
C: chown -R root:0 /var/tmp/portage/net-analyzer/metasploit-3.1_p5699-r1/image/ 

F: fchownat
S: deny
P: /proc/21464/fd/6/msfconsole3
A: /proc/21464/fd/6/msfconsole3
R: /usr/lib/metasploit3/msfconsole
C: chown -R root:0 /var/tmp/portage/net-analyzer/metasploit-3.1_p5699-r1/image/ 

F: fchownat
S: deny
P: /proc/21464/fd/6/msfopcode3
A: /proc/21464/fd/6/msfopcode3
R: /usr/lib/metasploit3/msfopcode
C: chown -R root:0 /var/tmp/portage/net-analyzer/metasploit-3.1_p5699-r1/image/ 

F: fchownat
S: deny
P: /proc/21464/fd/6/msfpescan3
A: /proc/21464/fd/6/msfpescan3
R: /usr/lib/metasploit3/msfpescan
C: chown -R root:0 /var/tmp/portage/net-analyzer/metasploit-3.1_p5699-r1/image/ 
--------------------------------------------------------------------------------

Here's the usual emerge --info:

Portage 2.2_rc21 (default/linux/x86/2008.0, gcc-4.3.2, glibc-2.9_p20081201-r1, 2.6.28-dirty i686)
=================================================================
System uname: Linux-2.6.28-dirty-i686-Intel-R-_Core-TM-2_Duo_CPU_T7700_@_2.40GHz-with-gentoo-2.0.0
Timestamp of tree: Mon, 12 Jan 2009 22:35:01 +0000
ccache version 2.4 [enabled]
app-shells/bash:     3.2_p48
dev-java/java-config: 1.3.7-r1, 2.1.6-r1
dev-lang/python:     2.5.2-r8, 2.6.1
dev-python/pycrypto: 2.0.1.99999
dev-util/ccache:     2.4-r8
dev-util/cmake:      2.6.2-r1
sys-apps/baselayout: 2.0.0
sys-apps/openrc:     0.4.1-r1
sys-apps/sandbox:    1.3.2
sys-devel/autoconf:  2.13, 2.63
sys-devel/automake:  1.4_p6, 1.5, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10.2
sys-devel/binutils:  2.19
sys-devel/gcc-config: 1.4.0-r4
sys-devel/libtool:   2.2.6a
virtual/os-headers:  2.6.28-r1
ACCEPT_KEYWORDS="x86 ~x86"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2 -mtune=core2 -pipe -ggdb"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/eselect/postgresql /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c /etc/udev/rules.d"
CXXFLAGS="-O2 -mtune=core2 -pipe -ggdb"
DISTDIR="/usr/portage/distfiles"
FEATURES="ccache collision-protect cvs distlocks fixpackages parallel-fetch protect-owned sandbox sfperms splitdebug strict unmerge-orphans userfetch userpriv usersandbox"
GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/linux/distributions/gentoo"
LC_ALL="en_GB"
LDFLAGS="-Wl,--as-needed"
LINGUAS="en en_GB"
MAKEOPTS="-j3"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/overlays/embedded /usr/local/overlays/gnome /usr/local/overlays/bluez /usr/local/overlays/desktop-effects /usr/local/overlays/vmware /usr/local/overlays/uncon /usr/local/overlays/ikelos /usr/local/overlays/personal"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="X a52 aac acl acpi additions alsa apache2 applet avahi bash-completion berkdb bluetooth boundschecking branding bzip2 cairo ccache cdda cdr cli cracklib crypt cups curl dbus dell deskbar divx dri dv dvb dvd dvdr dvi encode exif fam ffmpeg fftw ftp fuse gd gedit gif git glade glitz gmedia gnome gnome-keyring gnuplot gps graphviz gsm gstreamer gtk gtkhtml hal havekernel hdaps hpn httpd hybrid-auth iconv ilbc imap injection ipod iproute2 ipv6 isdnlog java java5 java6 javascript jingle john jpeg kpathsea kqemu kvm ladspa lame laptop ldap libffi libnotify libsexy mad madwifi maildir mdnsresponder-compat midi mikmod mmx mmxext mng mono moonlight mozdevelop mozdom moznopango mp3 mpeg mscash mssql mudflap multitarget music mysql nautilus ncurses netboot networkmanager nls nntp nptl nptlonly ntlm obex ogg old-daemons opengl openmp pam patch pcmcia pcre pcsc-lite pdf perl pic png postgres ppds pppd python quicktime rdesktop readline realmedia reflection resolvconf rtsp samba sasl sdl server session skins slp smp sms smux snmp sox spell spl sqlite sqlite3 sse sse2 ssl stream subversion svg svn-mirror sysfs syslog tcpd theora tokenizer tracker truetype unicode usb usrp v4l2 vlm vnc vorbis webdav wifi win32codecs winbind wmp wpe x264 x86 x86emu xcb xml xorg xulrunner xv xvid zlib" ALSA_CARDS="hda-intel" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" DVB_CARDS="usb-dib0700" ELIBC="glibc" INPUT_DEVICES="evdev keyboard mouse synaptics" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en en_GB" USERLAND="GNU" VIDEO_CARDS="intel vesa"
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LANG, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS

Comment 1 Mike Auty (RETIRED) gentoo-dev

2009-01-14 00:19:30 UTC

CCing the sandbox guys, in case they can shed some light on what's going on...

Comment 2 Mike Auty (RETIRED) gentoo-dev

2009-01-14 00:37:16 UTC

It's also a bit odd that we're bothering to re-chown everything to root.  Commenting out that line installed everything with root:root owner anyway?

Comment 3 SpanKY gentoo-dev

2009-01-14 16:51:42 UTC

hmm, looks to me like it's functioning correctly ?  all the things in $D/usr/bin/ are absolute symlinks to / and so any `chown` operation on them will actually operate on the target, not the symlink.  perhaps your src_install() meant to use the -h option to chown ?

Comment 4 SpanKY gentoo-dev

2009-01-20 23:35:20 UTC

assuming this isnt a sandbox bug ...

Comment 5 SpanKY gentoo-dev

2009-03-08 13:07:27 UTC

ok, scratch that ... ive spent time reading the POSIX docs and tracing the utility behavior and this does seem to be a bug in sandbox

in older versions, chown would use lchown() when running recursively.  newer versions though have switched to fchownat().  while newer sandboxes now handle that function, they do not account for when the function is called with AT_SYMLINK_NOFOLLOW.

ive fixed this in sandbox git now ... while i havent tested this package specifically (because i dont have ruby and crap installed), i have tested two other packages which suffer from the same issue (afaik)

http://git.overlays.gentoo.org/gitweb/?p=proj/sandbox.git;a=commitdiff;h=7b0b914b4ea0e594867bad91fe1aaffa0c21d87b

might also be worth noting that POSIX does not stipulate the default mode of -R, but that the GNU chown does not deref symlinks found while running recursively ...

http://www.opengroup.org/onlinepubs/9699919799/utilities/chown.html

Comment 6 SpanKY gentoo-dev

2009-03-08 13:08:16 UTC

*** Bug 261196 has been marked as a duplicate of this bug. ***

Comment 7 Maciej Mrozowski gentoo-dev

2009-04-19 06:13:05 UTC

I guess I'm experiencing similar issue with kde-base/printer-applet-9999 from kde-testing overlay.

Basically cmake invokes symlink(const char*, const char*) function, and then sets executable bit for that file (it's python script btw).
As symlink target is absolute path, chmod will point outside of image dir (causing sandbox violation).

Would it be possible to simulate "fakeroot" for symlinks, and when symlink target is absolute path - append image dir prefix for any operation on that file, so that:

Original invocation:
chmod("/some/file")

wrapped:
if "/some/file" is symlink with absolute target
   chmod(/var/tmp/_path_to_image_dir/some/file")

Btw, where I can find some quickstart docs with sandbox debugging? (especially how to use 'emerge' with own tweaked sandbox etc)

Log:
-- Installing: /var/tmp/portage/kde-base/printer-applet-9999/image/usr/kde/live/share/apps/printer-applet/debug.py                                                                                          
-- Symlinking /var/tmp/portage/kde-base/printer-applet-9999/image///usr/kde/live/bin/printer-applet to /var/tmp/portage/kde-base/printer-applet-9999/image///usr/kde/live/share/apps/printer-applet/printer-applet.py                                                                                             
ACCESS DENIED  fchmodat:     /usr/kde/live/share/apps/printer-applet/printer-applet.py                
chmod: changing permissions of `/usr/kde/live/share/apps/printer-applet/printer-applet.py': Brak dostępu                                                                                                    
-- Installing: /var/tmp/portage/kde-base/printer-applet-9999/image/usr/kde/live/share/autostart/printer-applet.desktop                                                                                      
>>> Completed installing printer-applet-9999 into /var/tmp/portage/kde-base/printer-applet-9999/image/

--------------------------- ACCESS VIOLATION SUMMARY ---------------------------
LOG FILE "/var/log/sandbox/sandbox-520.log"                                     

VERSION 1.0
FORMAT: F - Function called
FORMAT: S - Access Status  
FORMAT: P - Path as passed to function
FORMAT: A - Absolute Path (not canonical)
FORMAT: R - Canonical Path               
FORMAT: C - Command Line                 

F: fchmodat
S: deny
P: /usr/kde/live/share/apps/printer-applet/printer-applet.py
A: /usr/kde/live/share/apps/printer-applet/printer-applet.py
R: /usr/kde/live/share/apps/printer-applet/printer-applet.py
C: chmod a+x /usr/kde/live/share/apps/printer-applet/printer-applet.py
-------------------------------------------------------------------------------

emerge --info:
Portage 2.2_rc30 (default/linux/amd64/2008.0/no-multilib, gcc-4.3.3, glibc-2.9_p20081201-r2, 2.6.27-gentoo-r8 x86_64)                                                                                       
=================================================================                                     
System uname: Linux-2.6.27-gentoo-r8-x86_64-Intel-R-_Pentium-R-_4_CPU_3.20GHz-with-gentoo-2.0.0       
Timestamp of tree: Sun, 19 Apr 2009 01:45:02 +0000                                                    
ccache version 2.4 [enabled]                                                                          
app-shells/bash:     4.0_p17-r1                                                                       
dev-java/java-config: 2.1.7                                                                           
dev-lang/python:     2.6.2                                                                            
dev-util/ccache:     2.4-r8                                                                           
dev-util/cmake:      2.6.3-r1                                                                         
sys-apps/baselayout: 2.0.0                                                                            
sys-apps/openrc:     0.4.3-r2                                                                         
sys-apps/sandbox:    1.9                                                                              
sys-devel/autoconf:  2.13, 2.63-r1                                                                    
sys-devel/automake:  1.5, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10.2                                        
sys-devel/binutils:  2.19.1-r1                                                                        
sys-devel/gcc-config: 1.4.1                                                                           
sys-devel/libtool:   2.2.6a                                                                           
virtual/os-headers:  2.6.28-r1                                                                        
ACCEPT_KEYWORDS="amd64 ~amd64"                                                                        
CBUILD="x86_64-pc-linux-gnu"                                                                          
CFLAGS="-march=nocona -O2 -pipe -msse3 -ftree-vectorize"                                              
CHOST="x86_64-pc-linux-gnu"                                                                           
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/kde/live/env /usr/kde/live/share/config /usr/kde/live/shutdown /usr/share/config"                                
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/eselect/postgresql /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c /etc/udev/rules.d"      
CXXFLAGS="-march=nocona -O2 -pipe -msse3 -ftree-vectorize"                                            
DISTDIR="/usr/portage/distfiles"                                                                      
FEATURES="ccache collision-protect distlocks fixpackages metadata-transfer parallel-fetch preserve-libs protect-owned sandbox sfperms strict unmerge-orphans userfetch userpriv usersandbox"                
GENTOO_MIRRORS="http://ftp.vectranet.pl/gentoo http://distro.ibiblio.org/pub/linux/distributions/gentoo"                                                                                                    
LANG="pl_PL.utf8"                                                                                     
LC_ALL="pl_PL.utf8"                                                                                   
LDFLAGS="-Wl,--as-needed"                                                                             
MAKEOPTS="-j3"                                                                                        
PKGDIR="/usr/portage/packages"                                                                        
PORTAGE_CONFIGROOT="/"                                                                                
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"              
PORTAGE_TMPDIR="/var/tmp"                                                                             
PORTDIR="/usr/portage"                                                                                
PORTDIR_OVERLAY="/usr/local/portage/kde-testing /usr/local/portage/qting-edge /usr/local/portage/new-gcj-overlay /usr/local/portage/reavertm"
SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage"
USE="7zip X a52 aac accessibility ace acpi additions alsa amd64 archive autoipd bash-completion bittorrent branding bzip2 cdaudio cddb chm cli clucene colordiff cracklib crypt cups curl dbus designer-plugin dirac divx dri dv dvd dvdr dvdread dynamic exif exiv2 ffmpeg flac fontconfig ftp gadu gd gif glibc-omitfp gnokii gphoto2 hal history iconv inotify isdnlog java6 javascript jpeg kde kdeenablefinal kdehiddenvisibility kdeprefix kdexdeltas kickoff libgadu lm_sensors lzma lzo mad mbox midi mng mp3 mplayermudflap ncurses no-net2 nolvm1 nonfsv4 nptl nptlonly nsplugin ogg openmp pam pch pcre pdf pg-intdatetime plasma png pppd qt-copy qt3support quicktime rar rdesktop readline reiserfs rtc session sha512 smssndfile sockets spell spl srt sse sse2 ssl svg symlink sysfs theora threads threadsonly tiff toolkit-scroll-bars truetype unicode urandom usb utempter vhosts vnc vorbis webkit x264 xattr xcomposite xorg xpm xscreensaver xv xvid xvmc zeroconf zip zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87xca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rateroute share shm softvol" APACHE2_MODULES="actions alias auth_basic auth_digest authn_anon authn_dbd  authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile     authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock dbd     deflate dir disk_cache env expires ext_filter file_cache filter headers ident     imagemap include info log_config logio mem_cache mime mime_magicnegotiation     proxy proxy_ajp proxy_balancer proxy_connect proxy_http rewrite setenvif so     speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" USERLAND="GNU" VIDEO_CARDS="nvidia"
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS

Comment 8 SpanKY gentoo-dev

2009-04-20 04:58:13 UTC

file a new bug

Comment 9 Tristan Heaven (RETIRED) gentoo-dev

2009-11-29 02:10:04 UTC

*** Bug 253366 has been marked as a duplicate of this bug. ***