Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 839894

Summary: dev-lang/php-8.1.5 - sandbox issue
Product: Gentoo Linux Reporter: Toralf Förster <toralf>
Component: Current packagesAssignee: PHP Bugs <php-bugs>
Status: CONFIRMED ---    
Severity: normal CC: mjo
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 839747    
Attachments: emerge-info.txt
dev-lang:php-8.1.5:20220421-114313.log.bz2
emerge-history.txt
etc.portage.tar.bz2
logs.tar.bz2

Description Toralf Förster gentoo-dev 2022-04-21 12:30:23 UTC
head: cannot open '/var/tmp/portage/dev-lang/php-8.1.5/temp/sandbox.log' for reading: No such file or directory

  -------------------------------------------------------------------

  This is an unstable amd64 chroot image at a tinderbox (==build bot)
  name: 17.1_desktop-j4_test-20220420-221025

  -------------------------------------------------------------------

gcc-config -l:
 [1] x86_64-pc-linux-gnu-12.0.1 *
clang/llvm (if any):
/usr/lib/llvm/14
14.0.1
Python 3.9.12
Available Ruby profiles:
  [1]   ruby26 (with Rubygems)
  [2]   ruby27 (with Rubygems)
  [3]   ruby31 (with Rubygems) *
Available Rust versions:
  [1]   rust-bin-1.60.0 *
The Glorious Glasgow Haskell Compilation System, version 8.10.4
php cli:
  (none found)

  HEAD of ::gentoo
commit d015204d8f19820087d675022376468c5d515c55
Author: Repository mirror & CI <repomirrorci@gentoo.org>
Date:   Thu Apr 21 10:53:55 2022 +0000

    2022-04-21 10:53:54 UTC

emerge -qpvO dev-lang/php
[ebuild  N    ] dev-lang/php-8.1.5  USE="acl bzip2 cli ctype fileinfo filter flatfile gdbm iconv ipv6 jit nls opcache phar posix readline session simplexml spell ssl test tokenizer unicode xml zlib -apache2 -apparmor -argon2 -bcmath -berkdb -calendar -cdb -cgi -cjk -coverage -curl -debug -embed -enchant -exif -ffi -firebird -fpm -ftp -gd -gmp -imap -inifile -intl -iodbc -kerberos -ldap -ldap-sasl -libedit -lmdb -mhash -mssql -mysql -mysqli -oci8-instant-client -odbc -pcntl -pdo -phpdbg -postgres -qdbm (-selinux) -session-mm -sharedmem -snmp -soap -sockets -sodium -sqlite -systemd -sysvipc -threads -tidy -tokyocabinet -truetype -webp -xmlreader -xmlwriter -xpm -xslt -zip"
Comment 1 Toralf Förster gentoo-dev 2022-04-21 12:30:24 UTC
Created attachment 772613 [details]
emerge-info.txt
Comment 2 Toralf Förster gentoo-dev 2022-04-21 12:30:26 UTC
Created attachment 772616 [details]
dev-lang:php-8.1.5:20220421-114313.log.bz2
Comment 3 Toralf Förster gentoo-dev 2022-04-21 12:30:27 UTC
Created attachment 772619 [details]
emerge-history.txt
Comment 4 Toralf Förster gentoo-dev 2022-04-21 12:30:28 UTC
Created attachment 772622 [details]
etc.portage.tar.bz2
Comment 5 Toralf Förster gentoo-dev 2022-04-21 12:30:30 UTC
Created attachment 772625 [details]
logs.tar.bz2
Comment 6 Mike Gilbert gentoo-dev 2022-04-23 00:05:51 UTC
 * ----------------------- SANDBOX ACCESS VIOLATION SUMMARY -----------------------
 * LOG FILE: "/var/tmp/portage/dev-lang/php-8.1.5/temp/sandbox.log"
 * 
VERSION 1.0
FORMAT: F - Function called
FORMAT: S - Access Status
FORMAT: P - Path as passed to function
FORMAT: A - Absolute Path (not canonical)
FORMAT: R - Canonical Path
FORMAT: C - Command Line

F: chmod
S: deny
P: /etc/passwd
A: /etc/passwd
R: /etc/passwd
C: /var/tmp/portage/dev-lang/php-8.1.5/work/sapis-build/cli/sapi/cli/php -n -d output_handler= -d open_basedir= -d disable_functions= -d output_buffering=Off -d error_reporting=32767 -d display_errors=1 -d display_startup_errors=1 -d log_errors=0 -d html_errors=0 -d track_errors=0 -d report_memleaks=1 -d report_zend_debug=0 -d docref_root= -d docref_ext=.html -d error_prepend_string= -d error_append_string= -d auto_prepend_file= -d auto_append_file= -d ignore_repeated_errors=0 -d precision=14 -d serialize_precision=-1 -d memory_limit=128M -d opcache.fast_shutdown=0 -d opcache.file_update_protection=0 -d opcache.revalidate_freq=0 -d opcache.jit_hot_loop=1 -d opcache.jit_hot_func=1 -d opcache.jit_hot_return=1 -d opcache.jit_hot_side_exit=1 -d zend.assertions=1 -d zend.exception_ignore_args=0 -d zend.exception_string_param_max_len=15 -d short_open_tag=0 -d session.save_path=/var/tmp/portage/dev-lang/php-8.1.5/temp -d session.auto_start=0 -d zlib.output_compression=Off -f /var/tmp/portage/dev-lang/php-8.1.5/work/php-8.1.5/ext/standard/tests/file/006_error.php 

F: chmod
S: deny
P: /etc
A: /etc
R: /etc
C: /var/tmp/portage/dev-lang/php-8.1.5/work/sapis-build/cli/sapi/cli/php -n -d output_handler= -d open_basedir= -d disable_functions= -d output_buffering=Off -d error_reporting=32767 -d display_errors=1 -d display_startup_errors=1 -d log_errors=0 -d html_errors=0 -d track_errors=0 -d report_memleaks=1 -d report_zend_debug=0 -d docref_root= -d docref_ext=.html -d error_prepend_string= -d error_append_string= -d auto_prepend_file= -d auto_append_file= -d ignore_repeated_errors=0 -d precision=14 -d serialize_precision=-1 -d memory_limit=128M -d opcache.fast_shutdown=0 -d opcache.file_update_protection=0 -d opcache.revalidate_freq=0 -d opcache.jit_hot_loop=1 -d opcache.jit_hot_func=1 -d opcache.jit_hot_return=1 -d opcache.jit_hot_side_exit=1 -d zend.assertions=1 -d zend.exception_ignore_args=0 -d zend.exception_string_param_max_len=15 -d short_open_tag=0 -d session.save_path=/var/tmp/portage/dev-lang/php-8.1.5/temp -d session.auto_start=0 -d zlib.output_compression=Off -f /var/tmp/portage/dev-lang/php-8.1.5/work/php-8.1.5/ext/standard/tests/file/006_error.php 

F: mkdir
S: deny
P: testtmpskipifdir
A: /testtmpskipifdir
R: /testtmpskipifdir
C: /var/tmp/portage/dev-lang/php-8.1.5/work/sapis-build/cli/sapi/cli/php -n -q -d output_handler= -d open_basedir= -d disable_functions= -d output_buffering=Off -d error_reporting=32767 -d display_errors=1 -d display_startup_errors=1 -d log_errors=0 -d html_errors=0 -d track_errors=0 -d report_memleaks=1 -d report_zend_debug=0 -d docref_root= -d docref_ext=.html -d error_prepend_string= -d error_append_string= -d auto_prepend_file= -d auto_append_file= -d ignore_repeated_errors=0 -d precision=14 -d serialize_precision=-1 -d memory_limit=128M -d opcache.fast_shutdown=0 -d opcache.file_update_protection=0 -d opcache.revalidate_freq=0 -d opcache.jit_hot_loop=1 -d opcache.jit_hot_func=1 -d opcache.jit_hot_return=1 -d opcache.jit_hot_side_exit=1 -d zend.assertions=1 -d zend.exception_ignore_args=0 -d zend.exception_string_param_max_len=15 -d short_open_tag=0 -d session.save_path=/var/tmp/portage/dev-lang/php-8.1.5/temp -d session.auto_start=0 -d zlib.output_compression=Off -d opcache.file_cache= -d opcache.file_cache_only=0 -d display_errors=1 -d display_startup_errors=0 /var/tmp/portage/dev-lang/php-8.1.5/work/php-8.1.5/ext/standard/tests/file/chroot_001.skip.php 

F: mkdir
S: deny
P: testtmpskipifdir
A: /testtmpskipifdir
R: /testtmpskipifdir
C: /var/tmp/portage/dev-lang/php-8.1.5/work/sapis-build/cli/sapi/cli/php -n -q -d output_handler= -d open_basedir= -d disable_functions= -d output_buffering=Off -d error_reporting=32767 -d display_errors=1 -d display_startup_errors=1 -d log_errors=0 -d html_errors=0 -d track_errors=0 -d report_memleaks=1 -d report_zend_debug=0 -d docref_root= -d docref_ext=.html -d error_prepend_string= -d error_append_string= -d auto_prepend_file= -d auto_append_file= -d ignore_repeated_errors=0 -d precision=14 -d serialize_precision=-1 -d memory_limit=128M -d opcache.fast_shutdown=0 -d opcache.file_update_protection=0 -d opcache.revalidate_freq=0 -d opcache.jit_hot_loop=1 -d opcache.jit_hot_func=1 -d opcache.jit_hot_return=1 -d opcache.jit_hot_side_exit=1 -d zend.assertions=1 -d zend.exception_ignore_args=0 -d zend.exception_string_param_max_len=15 -d short_open_tag=0 -d session.save_path=/var/tmp/portage/dev-lang/php-8.1.5/temp -d session.auto_start=0 -d zlib.output_compression=Off -d opcache.file_cache= -d opcache.file_cache_only=0 -d display_errors=1 -d display_startup_errors=0 /var/tmp/portage/dev-lang/php-8.1.5/work/php-8.1.5/ext/standard/tests/file/mkdir-004.skip.php 
 * --------------------------------------------------------------------------------
Comment 7 Michael Orlitzky gentoo-dev 2022-11-22 03:07:22 UTC
(I'm not sure why my sandbox isn't complaining about these?)

006_error.phpt tries to make /etc and /etc/passwd world-writable if your uid isn't 0, and expects to fail. This is a security issue (reported upstream), and not really something we should be trying to do in the first place.

chroot_001.phpt is only supposed to run if you're root, but the check to see if you're root involves writing to the live filesystem (mkdir /testtmpskipifdir). No one should ever run the test suite as root in the first place, but it would be easy enough to replace that check with something sandbox-friendly.

mkdir-004.phpt is intended to be run as root, but has the same problematic check as chroot_001.phpt. Moreover, if you *are* root, the tests will mess with your filesystem:

  var_dump(mkdir("/testdir/subdir", 0777, true));
  var_dump(rmdir("/testdir/subdir"));
  var_dump(rmdir("/testdir"));

That's bad for all kinds of reasons, and I don't see a way to salvage it.

In short: chroot might be fixed, but the other two can just be deleted. Or all three can be deleted.
Comment 8 Michael Orlitzky gentoo-dev 2022-11-22 14:30:54 UTC
NB: it looks like the EXPECTED_TEST_FAILURES stuff in our ebuilds is obsolete -- the variable is never defined.
Comment 9 Michael Orlitzky gentoo-dev 2024-03-01 17:16:14 UTC
These are all hopefully fixed by https://github.com/php/php-src/pull/13566/

I don't know for sure that the chroot() test will work as expected in  our sandbox, but the pre-check that writes to the root filesystem is now gone. I have high hopes.