Summary: | media-video/ffmpeg-1.0.7 can't install ffmpeg due to grsec restrictions | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Marcin Mirosław <bug> |
Component: | Hardened | Assignee: | Gentoo Media-video project <media-video> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | hardened, norman.shulman, quantheory |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
See Also: | https://bugs.gentoo.org/show_bug.cgi?id=519566 | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- |
Description
Marcin Mirosław
2012-10-09 14:52:20 UTC
Sorry for the delay in responding. Take a look at http://www.gentoo.org/proj/en/hardened/grsec-tpe.xml TPE is causing the issue, but since this is an build time issue, it may be possible for the ebuild/build system to remove world writeable permissions and get past this. Although the world writeable directory is ephemeral (gone once emerge is done) there is no way whitelist for TPE. Turning off TPE globally is wrong since it means relaxing an important security feature. I'll pass this along to media-video@ In recent versions, if you have FEATURES="userpriv", I think you get essentially the same problem, except that it's caught with a nicer error message in the configure stage.
>>> Configuring source in /var/tmp/portage/media-video/ffmpeg-0.10.7/work/ffmpeg-0.10.7 ...
Unable to create and execute files in /var/tmp/portage/media-video/ffmpeg-0.10.7/temp. Set the TMPDIR environment
variable to another directory and make sure that it is not mounted noexec.
Sanity test failed
I'm pretty clueless about this aspect of portage, but it looks like the choices here would be to use a temporary directory in "work" instead of "temp", making "temp" not group-writeable, or creating a subdirectory in "temp" that's not group-writeable.
*** Bug 491582 has been marked as a duplicate of this bug. *** This bug should be solved by the fix in bug #519566 This should be fixed now with portage-2.2.15. Can you test the original issue and reopen if its still a problem. |