| Summary: | www-servers/apache-2.2.25: configure: error: Did not find pcre-config script at ${T}/pcre-config when TPE is turned on in the kernel | ||
|---|---|---|---|
| Product: | Gentoo Linux | Reporter: | ivion |
| Component: | [OLD] Server | Assignee: | Patrick Lauer <patrick> |
| Status: | RESOLVED INVALID | ||
| Severity: | normal | CC: | jaak, laen, polynomial-c |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | AMD64 | ||
| OS: | Linux | ||
| See Also: | https://bugs.gentoo.org/show_bug.cgi?id=519566 | ||
| Whiteboard: | |||
| Package list: | Runtime testing required: | --- | |
| Attachments: |
Build.log of www-servers/apache-2.2.25
Config.log of www-servers/apache-2.2.25 emerge --info emerge apache --debug |
||
|
Description
ivion
2014-02-10 20:05:36 UTC
Created attachment 370082 [details]
Build.log of www-servers/apache-2.2.25
Created attachment 370086 [details]
Config.log of www-servers/apache-2.2.25
Created attachment 370088 [details]
emerge --info
make sure your tree is fully synced. then run: emerge apache --debug >& log and attach that log file here Created attachment 370158 [details]
emerge apache --debug
do you have TPE turned on in your kernel ? if so, you need to adjust your settings to allow this. there's nothing wrong with executing files out of $T. (In reply to SpanKY from comment #6) > do you have TPE turned on in your kernel ? if so, you need to adjust your > settings to allow this. there's nothing wrong with executing files out of > $T. I do have TPE turned on in my kernel, after switching it off apache compiles without any issue. But this is strange, since nothing in the kernel help indicates that either CONFIG_GRKERNSEC_TPE or CONFIG_GRKERNSEC_TPE_ALL would do anything to restrict what root can't and can execute. And since I'm compiling apache as root I shouldn't be subject to TPE's restrictions, right? I would greatly appreciate it if you could give me some insight into how TPE is preventing apache from being built, since it's the only package so far that didn't want to work with TPE. (In reply to ivion from comment #7) if you read `dmesg`, it'll note the exact reason for the failure added a sanity check to the eclass so the failure isn't so obtuse: http://sources.gentoo.org/eclass/apache-2.eclass?r1=1.34&r2=1.35 The problem here is that emerge is dropping down to running the build as user "portage" since 2.2, which will become restricted by TPE. In contrast to what comment #6 says, it is a problem to allow executing stuff in directories anyone can write to, and that is $T. A work-around for the moment is to emerge apache with FEATURES="-userpriv" so it runs the build as user "root". The obvious and correct fix is, however, to sanitize what the build script does: The directory which pcre-config is running in needs to have exclusive write permissions to the portage user only (no g+w, no a+w). vweb004 temp # pwd && ls -ald . pcre-config /var/tmp/portage/www-servers/apache-2.2.25/temp drwxrwxr-x 3 portage portage 4096 15. Feb 12:20 . -rwxrwxr-x 1 portage portage 93 15. Feb 12:20 pcre-config ^ +---- This is the problem You also need to add user "portage" to group 10 (or whatever was configured in grsec, usually that's "wheel") to make it a trusted user for TPE if you are using restricted mode (that's default) instead of permissive. So I'd vote for this request to be neither resolved nor invalid. (In reply to Kai Krakow from comment #9) > So I'd vote for this request to be neither resolved nor invalid. I second that. Apache used to emerge without problems, and suddenly in 2014 this issue comes out of the blue. I don't remember changing any TPE settings from when it last emerged properly. Nor would I want to change the settings. I guess this issue arose since http://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/eclass/apache-2.eclass?r1=1.33&r2=1.34 My current non-educated suggestion is to do one of the following: * make ${T} non-group-writeable, or * create the pcre-config script somewhere under ${WORKDIR} or ${GENTOO_PATCHDIR} instead, which are only user-writeable. This way users don't have to loosen their security settings just to get apache installed. If not for security implications, please do it to keep Gentoo users from bumping into this issue and angering them. :) (In reply to SpanKY from comment #8) > if you read `dmesg`, it'll note the exact reason for the failure > > added a sanity check to the eclass so the failure isn't so obtuse: > http://sources.gentoo.org/eclass/apache-2.eclass?r1=1.34&r2=1.35 Do I get this right, that the appropriate solution for the user would be to 1) rebuild the kernel with disable TPE 2) reboot with the new kernel 3) emerge apache / apache-tools 4) boot back to the old kernel with TPE ? For me, changing the apache-2.eclass and apache-tools ebuilds to create pcre-config instead in "${WORKDIR}"/t/ which is created with mode 700, did the trick.
I found a simpler workaround a few days ago. Just use FEATURES="-userpriv" to emerge apache. This way portage does not drop the root privileges and TPE won't be triggered. FEATURES="-userpriv" emerge apache (In reply to Jaak Ristioja from comment #13) > I found a simpler workaround a few days ago. Just use FEATURES="-userpriv" > to emerge apache. This way portage does not drop the root privileges and TPE > won't be triggered. > > FEATURES="-userpriv" emerge apache Sorry for the spam, I didn't see bug 519566. I know this is old, but I just spent several hours trying to upgrade Apache to this version and it might help someone else.
The line "if ! "${T}"/pcre-config --help >/dev/null ; then" in /usr/portage/eclass/apache-2.eclass was a false positive as I don't have TPE enabled in the Kernel, nor any mount issues.
I edited the eclass to see what ${T}"/pcre-config --help was doing, it said it was an issue with line 3 and that pkg-config was missing.
In the end it was solved by either updating dev-util/pkgconfig or sys-libs/glibc not sure what fixed it as I ran them together.
|
