Summary: | sys-apps/portage-2.2.x with sys-kernel/hardened-sources stops working due to: file in group-writable directory of /var/tmp/portage/sys-apps/portage-2.2.1/homedir/ffiguwHOM | ||
---|---|---|---|
Product: | Portage Development | Reporter: | Marcin Mirosław <bug> |
Component: | Core | Assignee: | Portage team <dev-portage> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | cyberbat83, hardened, infra-bugs, jaak, jmbsvicetto, klondike, norman.shulman, quantheory, satmd, swift |
Priority: | Normal | ||
Version: | 2.2 | ||
Hardware: | All | ||
OS: | Linux | ||
See Also: | https://bugs.gentoo.org/show_bug.cgi?id=519566 | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- |
Description
Marcin Mirosław
2013-09-10 13:16:12 UTC
# emerge --info Portage 2.2.1 (hardened/linux/amd64, gcc-4.6.3, glibc-2.15-r3, 3.9.5-hardened x86_64) ================================================================= System uname: Linux-3.9.5-hardened-x86_64-Intel_Xeon_E312xx_-Sandy_Bridge-with-gentoo-2.2 KiB Mem: 996272 total, 189692 free KiB Swap: 1048572 total, 1035704 free Timestamp of tree: Tue, 10 Sep 2013 04:15:01 +0000 ld GNU gold (GNU Binutils 2.23.1) 1.11 ccache version 3.1.9 [enabled] app-shells/bash: 4.2_p45 dev-lang/python: 2.7.5-r2, 3.2.5-r2 dev-util/ccache: 3.1.9 dev-util/pkgconfig: 0.28 sys-apps/baselayout: 2.2 sys-apps/openrc: 0.11.8 sys-apps/sandbox: 2.6-r1 sys-devel/autoconf: 2.69 sys-devel/automake: 1.12.6 sys-devel/binutils: 2.23.1 sys-devel/gcc: 4.6.3 sys-devel/gcc-config: 1.7.3 sys-devel/libtool: 2.4-r1 sys-devel/make: 3.82-r4 sys-kernel/linux-headers: 3.9 (virtual/os-headers) sys-libs/glibc: 2.15-r3 Repositories: gentoo ACCEPT_KEYWORDS="amd64" ACCEPT_LICENSE="* -@EULA" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-O2 -pipe -march=core2 -mtune=native -frecord-gcc-switches -fno-unwind-tables -fno-asynchronous-unwind-tables -fpeel-loops -ftracer" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo" CXXFLAGS="-O2 -pipe -march=core2 -mtune=native -frecord-gcc-switches -fno-unwind-tables -fno-asynchronous-unwind-tables -fpeel-loops -ftracer" DISTDIR="/usr/portage/distfiles" FCFLAGS="-O2 -pipe" FEATURES="assume-digests binpkg-logs ccache collision-protect compressdebug config-protect-if-modified distlocks ebuild-locks fixlafiles merge-sync news parallel-fetch preserve-libs protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr" FFLAGS="-O2 -pipe" GENTOO_MIRRORS="http://distfiles.gentoo.org" LANG="pl_PL.utf8" LDFLAGS="-Wl,-O1 -Wl,--as-needed -Wl,--sort-common" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_EXTRA_OPTS="-O" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="" SYNC="rsync://gentoo-mirror.in.xxx.pl/gentoo-portage/" USE="acl acpi amd64 bash-completion caps cli cracklib crypt cxx dri hardened iconv idn ipv6 justify mmx mmxext modules mudflap multilib ncurses nls nptl openmp pax_kernel pcre readline session sse sse2 sse3 ssse3 threads unicode urandom vhosts vim-syntax xattr" ABI_X86="64" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump author" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php5-5" PYTHON_SINGLE_TARGET="python2_7" PYTHON_TARGETS="python3_2" RUBY_TARGETS="ruby19 ruby18" USERLAND="GNU" VIDEO_CARDS="fbdev glint intel mach64 mga nouveau nv r128 radeon savage sis tdfx trident vesa via vmware dummy v4l" XTABLES_ADDONS="tarpit" USE_PYTHON="3.2" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS The group writable thing is from the new userpriv and usersandbox FEATURES defaults. You could disable userpriv and usersandbox by adding this to make.conf: FEATURES="${FEATURES} -userpriv -usersandbox" (In reply to Zac Medico from comment #2) > The group writable thing is from the new userpriv and usersandbox FEATURES > defaults. You could disable userpriv and usersandbox by adding this to > make.conf: > > FEATURES="${FEATURES} -userpriv -usersandbox" Do you have strict TPE on? That might be where you're getting this from: denied untrusted exec (due to file in group-writable directory) If so, you can add portage to the wheel group which is the trusted group. Thanks Zac for such easy workarround, I did it in a little more complicated way:) Anthony, I'm not sure if I can trust to user "portage" enough to add it to wheel group:) I'm dropping compilation process from user root to user portage for security. If I add portage (I assume I can't trust this user) to group wheel then user portage can e.g. run sudo. Wouldn't it be security hole in "userpriv" engine inside portage? (I'm aware it isn't big hole) (In reply to Marcin Mirosław from comment #4) > Wouldn't it be security hole in "userpriv" engine inside portage? (I'm aware it isn't big hole) Not really, because the portage user is able to build files that are eventually installed and executed by root. (In reply to Anthony Basile from comment #3) > (In reply to Zac Medico from comment #2) > > The group writable thing is from the new userpriv and usersandbox FEATURES > > defaults. You could disable userpriv and usersandbox by adding this to > > make.conf: > > > > FEATURES="${FEATURES} -userpriv -usersandbox" > > Do you have strict TPE on? Yes. > That might be where you're getting this from: > > denied untrusted exec (due to file in group-writable directory) > > If so, you can add portage to the wheel group which is the trusted group. Adding portage to world made a world of difference; thanks! So if it's not a potential security hole bug can be closed for me. Thanks! (In reply to Marcin Mirosław from comment #7) > So if it's not a potential security hole bug can be closed for me. Thanks! well ... this may need documentation because its going to catch a lot of people. I'm cc-ing our hardened doc people to figure out where to put it. Basically we need to tell our users that if you use TPE then you must add user "portage" to group "wheel" to give it permission to write to a group-writable directory durig emerge. Hi, we (Infra) experienced the same issue. We can reproduce it on at least two machines. Both have different Kernel (3.8.2 and 3.5.4, hardened "custom") versions. Both have the same grsec sysctl settings. Both have the same FEATURES. Another server with the same portage version and the same FEATURES, sysctl settings and Kernel (3.8.2) works fine. So there must be another difference between the ~42 working hosts and the (until now) 2 not working hosts. I also tested different sandbox versions. Using -userpriv on the affected systems works, -usersandbox doens't matter. All portage 2.2.x versions seem to be affected. I'll *try* to debug that further tomorrow. Upgrading libffi (to at least 3.0.11) and rebuilding at least python helps. FEATURES=-userpriv emerge -1u virtual/libffi FEATURES=-userpriv emerge @preserved-rebuild emerge foo This problem have with python and libffi one more time. libffi try to write the temp file to execute it for it can't use RWX mmap so it try to make a temp file and execute that. You need to check what use flags libffi have and what version and what the active python have for pax flags and check if you have EMUTRAMP enable in the kernel. The libffi version should be 3.0.13-r1 and have use pax_kernel Python should have EMUTRAMP enable. After picking up this bug on the freenode IRC channel, I tried to Sorry,... I only wanted to add myself to CC:... after picking up this bug been mentioned on the freenode irc channel, I tried to compile portage on my computer (~amd64, non-multilib, hardened) with TPE enabled (Enabled for everyone, exemptions only for gid 10), no selinux or other MAC. My idea was to work around this problem with a stricter umask of 0022. I did not get any error during build, but I didn't do a test without my umask setting neither. I use paludis for package management, thus this workaround should be re-evaluated on a regular gentoo box with portage as package management to rule out specifics of my own setup. *** Bug 459664 has been marked as a duplicate of this bug. *** There's a related patch attached to bug 519566 that needs testing by users with TPE. This should be fixed now with portage-2.2.15. Can you test the original issue and reopen if its still a problem. |