Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 883799

Summary: dev-util/ccache-4.7.4: tries to write to /run for temporary files
Product: Gentoo Linux Reporter: Sam James <sam>
Component: Current packagesAssignee: Gentoo Toolchain Maintainers <toolchain>
Status: RESOLVED FIXED    
Severity: normal CC: dan, matthew
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
See Also: https://bugs.gentoo.org/show_bug.cgi?id=837362
https://bugs.gentoo.org/show_bug.cgi?id=837380
https://bugs.gentoo.org/show_bug.cgi?id=887019
Whiteboard:
Package list:
Runtime testing required: ---
Attachments: sandbox.log

Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-12-01 02:25:29 UTC 
```
>>> Configuring source in /var/tmp/portage/app-admin/ccze-0.2.1-r4/work/ccze-0.2.1 ...
 * econf: updating ccze-0.2.1/config.guess with /usr/share/gnuconfig/config.guess
 * econf: updating ccze-0.2.1/config.sub with /usr/share/gnuconfig/config.sub
./configure --prefix=/usr --build=x86_64-pc-linux-gnu --host=x86_64-pc-linux-gnu --mandir=/usr/share/man --infodir=/usr/share/info --datadir=/usr/share --sysconfdir=/etc --localstatedir=/var/lib --docdir=/usr/share/doc/ccze-0.2.1-r4 --htmldir=/usr/share/doc/ccze-0.2.1-r4/html --libdir=/usr/lib64
configure: loading site script /usr/share/config.site
checking build system type... x86_64-pc-linux-gnu
checking host system type... x86_64-pc-linux-gnu
checking for x86_64-pc-linux-gnu-cc... x86_64-pc-linux-gnu-gcc
checking for x86_64-pc-linux-gnu-gcc... (cached) x86_64-pc-linux-gnu-gcc
 * ACCESS DENIED:  mkdir:         /run/user/1000/ccache-tmp
 * ACCESS DENIED:  mkdir:         /run/user/1000/ccache-tmp
 * ACCESS DENIED:  mkdir:         /run/user/1000/ccache-tmp
 * ACCESS DENIED:  mkdir:         /run/user/1000/ccache-tmp
 * ACCESS DENIED:  mkdir:         /run/user/1000/ccache-tmp
checking whether the C compiler works...  * ACCESS DENIED:  mkdir:         /run/user/1000/ccache-tmp
yes
checking for C compiler default output file name... a.out
checking for suffix of executables...  * ACCESS DENIED:  mkdir:         /run/user/1000/ccache-tmp

checking whether we are cross compiling...  * ACCESS DENIED:  mkdir:         /run/user/1000/ccache-tmp
no
checking for suffix of object files...  * ACCESS DENIED:  mkdir:         /run/user/1000/ccache-tmp
o
checking whether the compiler supports GNU C...  * ACCESS DENIED:  mkdir:         /run/user/1000/ccache-tmp
yes
checking whether x86_64-pc-linux-gnu-gcc accepts -g...  * ACCESS DENIED:  mkdir:         /run/user/1000/ccache-tmp
yes
checking for x86_64-pc-linux-gnu-gcc option to enable C11 features...  * ACCESS DENIED:  mkdir:         /run/user/1000/ccache-tmp
none needed
checking whether we are using GCC 3...  * ACCESS DENIED:  mkdir:         /run/user/1000/ccache-tmp
no
checking how to run the C preprocessor...  * ACCESS DENIED:  mkdir:         /run/user/1000/ccache-tmp
 * ACCESS DENIED:  mkdir:         /run/user/1000/ccache-tmp
x86_64-pc-linux-gnu-gcc -E
 * ACCESS DENIED:  mkdir:         /run/user/1000/ccache-tmp
 * ACCESS DENIED:  mkdir:         /run/user/1000/ccache-tmp
checking for a BSD-compatible install... /usr/lib/portage/python3.11/ebuild-helpers/xattr/install -c
checking for stdio.h...  * ACCESS DENIED:  mkdir:         /run/user/1000/ccache-tmp
yes
checking for stdlib.h...  * ACCESS DENIED:  mkdir:         /run/user/1000/ccache-tmp
yes
checking for string.h...  * ACCESS DENIED:  mkdir:         /run/user/1000/ccache-tmp
yes
checking for inttypes.h...  * ACCESS DENIED:  mkdir:         /run/user/1000/ccache-tmp
yes
checking for stdint.h...  * ACCESS DENIED:  mkdir:         /run/user/1000/ccache-tmp
yes
checking for strings.h...  * ACCESS DENIED:  mkdir:         /run/user/1000/ccache-tmp
yes
checking for sys/stat.h...  * ACCESS DENIED:  mkdir:         /run/user/1000/ccache-tmp
yes
checking for sys/types.h...  * ACCESS DENIED:  mkdir:         /run/user/1000/ccache-tmp
yes
checking for unistd.h...  * ACCESS DENIED:  mkdir:         /run/user/1000/ccache-tmp
yes
checking for grep that handles long lines and -e... /usr/sbin/grep
checking for egrep... /usr/sbin/grep -E
checking for dirent.h that defines DIR...  * ACCESS DENIED:  mkdir:         /run/user/1000/ccache-tmp
yes
checking for library containing opendir...  * ACCESS DENIED:  mkdir:         /run/user/1000/ccache-tmp
none required
checking for argp.h...  * ACCESS DENIED:  mkdir:         /run/user/1000/ccache-tmp
yes
checking for getopt.h...  * ACCESS DENIED:  mkdir:         /run/user/1000/ccache-tmp
yes
checking for netdb.h...  * ACCESS DENIED:  mkdir:         /run/user/1000/ccache-tmp
yes
checking for fcntl.h...  * ACCESS DENIED:  mkdir:         /run/user/1000/ccache-tmp
yes
checking for stddef.h...  * ACCESS DENIED:  mkdir:         /run/user/1000/ccache-tmp
yes
checking for an ANSI C-conforming const...  * ACCESS DENIED:  mkdir:         /run/user/1000/ccache-tmp
yes
checking for working volatile...  * ACCESS DENIED:  mkdir:         /run/user/1000/ccache-tmp
yes
checking for size_t...  * ACCESS DENIED:  mkdir:         /run/user/1000/ccache-tmp
 * ACCESS DENIED:  mkdir:         /run/user/1000/ccache-tmp
yes
checking return type of signal handlers...  * ACCESS DENIED:  mkdir:         /run/user/1000/ccache-tmp
void
checking for GNU libc compatible malloc...  * ACCESS DENIED:  mkdir:         /run/user/1000/ccache-tmp
yes
checking for GNU libc compatible realloc...  * ACCESS DENIED:  mkdir:         /run/user/1000/ccache-tmp
yes
checking for strftime...  * ACCESS DENIED:  mkdir:         /run/user/1000/ccache-tmp
yes
checking whether lstat correctly handles trailing slash...  * ACCESS DENIED:  mkdir:         /run/user/1000/ccache-tmp
yes
checking whether stat accepts an empty string...  * ACCESS DENIED:  mkdir:         /run/user/1000/ccache-tmp
no
checking for working memcmp...  * ACCESS DENIED:  mkdir:         /run/user/1000/ccache-tmp
yes
checking for vprintf...  * ACCESS DENIED:  mkdir:         /run/user/1000/ccache-tmp
yes
checking whether closedir returns void...  * ACCESS DENIED:  mkdir:         /run/user/1000/ccache-tmp
no
checking for alphasort...  * ACCESS DENIED:  mkdir:         /run/user/1000/ccache-tmp
yes
checking for argp_parse...  * ACCESS DENIED:  mkdir:         /run/user/1000/ccache-tmp
yes
checking for asprintf...  * ACCESS DENIED:  mkdir:         /run/user/1000/ccache-tmp
yes
checking for getdelim...  * ACCESS DENIED:  mkdir:         /run/user/1000/ccache-tmp
yes
checking for getline...  * ACCESS DENIED:  mkdir:         /run/user/1000/ccache-tmp
yes
checking for getopt_long...  * ACCESS DENIED:  mkdir:         /run/user/1000/ccache-tmp
yes
checking for getsubopt...  * ACCESS DENIED:  mkdir:         /run/user/1000/ccache-tmp
yes
checking for memchr...  * ACCESS DENIED:  mkdir:         /run/user/1000/ccache-tmp
yes
checking for memset...  * ACCESS DENIED:  mkdir:         /run/user/1000/ccache-tmp
yes
checking for scandir...  * ACCESS DENIED:  mkdir:         /run/user/1000/ccache-tmp
yes
checking for strcasecmp...  * ACCESS DENIED:  mkdir:         /run/user/1000/ccache-tmp
yes
checking for strchr...  * ACCESS DENIED:  mkdir:         /run/user/1000/ccache-tmp
yes
checking for strdup...  * ACCESS DENIED:  mkdir:         /run/user/1000/ccache-tmp
yes
checking for strndup...  * ACCESS DENIED:  mkdir:         /run/user/1000/ccache-tmp
yes
checking for strstr...  * ACCESS DENIED:  mkdir:         /run/user/1000/ccache-tmp
yes
checking for initscr in -lncurses...  * ACCESS DENIED:  mkdir:         /run/user/1000/ccache-tmp
yes
checking for library containing stdscr...  * ACCESS DENIED:  mkdir:         /run/user/1000/ccache-tmp
 * ACCESS DENIED:  mkdir:         /run/user/1000/ccache-tmp
-ltinfo
checking for dlopen...  * ACCESS DENIED:  mkdir:         /run/user/1000/ccache-tmp
yes
checking for getopt_long... (cached) yes
checking for pcre-config... /usr/sbin/pcre-config
checking for PCRE... found
checking for suboptarg...  * ACCESS DENIED:  mkdir:         /run/user/1000/ccache-tmp
no
configure: creating ./config.status
config.status: creating Rules.mk
config.status: WARNING:  'Rules.mk.in' seems to ignore the --datarootdir setting
config.status: creating Makefile
config.status: creating doc/Makefile
config.status: creating src/Makefile
config.status: creating testsuite/Makefile
config.status: creating system.h
>>> Source configured.
 * ----------------------- SANDBOX ACCESS VIOLATION SUMMARY -----------------------
 * LOG FILE: "/var/tmp/portage/app-admin/ccze-0.2.1-r4/temp/sandbox.log"
 *
VERSION 1.0
FORMAT: F - Function called
FORMAT: S - Access Status
FORMAT: P - Path as passed to function
FORMAT: A - Absolute Path (not canonical)
FORMAT: R - Canonical Path
FORMAT: C - Command Line

F: mkdir
S: deny
P: /run/user/1000/ccache-tmp
A: /run/user/1000/ccache-tmp
R: /run/user/1000/ccache-tmp
C: x86_64-pc-linux-gnu-gcc --version
```
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-12-01 02:26:03 UTC 
Created attachment 838641 [details]
sandbox.log
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-12-01 02:34:04 UTC 
Note this isn't as severe as before or anything, because it won't affect Portage runs, just cases where you have XDG_RUNTIME_DIR set.

It may work to just check if /run/user/blah is writable first?
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-12-01 02:34:47 UTC 
(In reply to Sam James from comment #2)
> Note this isn't as severe as before or anything, because it won't affect
> Portage runs, just cases where you have XDG_RUNTIME_DIR set.
> 
> It may work to just check if /run/user/blah is writable first?

Or maybe Portage should forcefully set CCACHE_TEMPDIR to PORTAGE_TMPDIR.
Comment 4 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-12-01 02:57:17 UTC 
(After https://github.com/ccache/ccache/commit/876509ae8b95f76adebdfa1f2380d75a49f9871d landed in 4.7.4, we thought maybe things were fine now and dropped our own patch to force usage of /tmp, but we still need to force /tmp as /run/user might exist but not be writable because of sandbox.)

I'm not sure if ccache is properly respecting CCACHE_TEMPDIR, as both setting CCACHE_TEMPDIR in the environment, as well as this Portage patch do nothing to help(!):
```
--- a/bin/ebuild.sh
+++ b/bin/ebuild.sh
@@ -713,6 +713,13 @@ if ! has "${EBUILD_PHASE}" clean cleanrm ; then
                                        addwrite "${CCACHE_DIR}"
                                fi

+                               if [[ -z ${CCACHE_TEMPDIR} ]] ; then
+                                       export CCACHE_TEMPDIR="${PORTAGE_TMPDIR}"/ccache-tmp
+                               fi
+
+                               addread "${CCACHE_TEMPDIR}"
+                               addwrite "${CCACHE_TEMPDIR}"
+
                                [[ -n ${CCACHE_SIZE} ]] && ccache -M ${CCACHE_SIZE} &> /dev/null
                        fi
                fi
```
Comment 5 Martin Väth 2022-12-01 06:16:49 UTC 
(In reply to Sam James from comment #3)
> (In reply to Sam James from comment #2)
> > Note this isn't as severe as before or anything, because it won't affect
> > Portage runs, just cases where you have XDG_RUNTIME_DIR set.
> > 
> > It may work to just check if /run/user/blah is writable first?
> 
> Or maybe Portage should forcefully set CCACHE_TEMPDIR to PORTAGE_TMPDIR.

This won't help.

If XDG_RUNTIME_DIR is set, ccache generates $XDG_RUNTIME_DIR/ccache-tmp and uses it as the default, and only afterwards ccache checks whether this default is overridden.

IMHO, this is a bug in ccache: An actually unused directory should not be created unnecessarily.

Also, setting CCACHE_TEMPDIR to PORTAGE_TMPDIR is a bad idea:
The original default <cache_dir>/tmp makes much more sense, and there is no reason to change this independently of whether XDG_RUNTIME_DIR is set.
I patched this conditional undesirable behavior for set XDG_RUNTIME_DIR out.
Comment 6 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-12-01 06:31:20 UTC 
(In reply to Martin Väth from comment #5)
> (In reply to Sam James from comment #3)
> > (In reply to Sam James from comment #2)
> > > Note this isn't as severe as before or anything, because it won't affect
> > > Portage runs, just cases where you have XDG_RUNTIME_DIR set.
> > > 
> > > It may work to just check if /run/user/blah is writable first?
> > 
> > Or maybe Portage should forcefully set CCACHE_TEMPDIR to PORTAGE_TMPDIR.
> 
> This won't help.
> 
> If XDG_RUNTIME_DIR is set, ccache generates $XDG_RUNTIME_DIR/ccache-tmp and
> uses it as the default, and only afterwards ccache checks whether this
> default is overridden.
> 

Well, I did note that it doesn't actually work in the comment underneath :)

It should work, but it doesn't, I think.

> IMHO, this is a bug in ccache: An actually unused directory should not be
> created unnecessarily.
> 
> Also, setting CCACHE_TEMPDIR to PORTAGE_TMPDIR is a bad idea:
> The original default <cache_dir>/tmp makes much more sense, and there is no
> reason to change this independently of whether XDG_RUNTIME_DIR is set.
> I patched this conditional undesirable behavior for set XDG_RUNTIME_DIR out.

I agree the original makes more sense, yes - I don't really understand the value in using XDG_RUNTIME_DIR like this at all.
Comment 7 Larry the Git Cow gentoo-dev 2022-12-28 09:14:51 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8e37542842e9e85c5f6d739803c6286514a3c6fb

commit 8e37542842e9e85c5f6d739803c6286514a3c6fb
Author:     Pacho Ramos <pacho@gentoo.org>
AuthorDate: 2022-12-28 09:11:34 +0000
Commit:     Pacho Ramos <pacho@gentoo.org>
CommitDate: 2022-12-28 09:14:41 +0000

    games-arcade/blobwars: update EAPI 6 -> 8
    
    As a side effect it also avoids bug #883799
    
    Bug: https://bugs.gentoo.org/883799
    Bug: https://bugs.gentoo.org/887019
    Signed-off-by: Pacho Ramos <pacho@gentoo.org>

 games-arcade/blobwars/blobwars-2.00-r1.ebuild | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)
Comment 8 Zdenek Sojka 2023-02-03 17:00:58 UTC 
Packages where I am observing this issue, on stable amd64:

sys-apps/msr-tools-1.3
sys-process/dcron-4.5-r2

And out-of-tree www-client/palemoon::palemoon
Comment 9 Larry the Git Cow gentoo-dev 2023-05-17 04:01:32 UTC 
The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=257fc52ad8a0d9fa867ed72b9e714dfe5f478555

commit 257fc52ad8a0d9fa867ed72b9e714dfe5f478555
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2023-05-17 04:00:57 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2023-05-17 04:01:22 +0000

    dev-util/ccache: avoid /run usage (again)
    
    Closes: https://bugs.gentoo.org/883799
    Closes: https://bugs.gentoo.org/887019
    Signed-off-by: Sam James <sam@gentoo.org>

 dev-util/ccache/ccache-4.8-r2.ebuild               | 130 +++++++++++++++++++++
 .../ccache/files/ccache-4.8-avoid-run-user.patch   |  34 ++++++
 2 files changed, 164 insertions(+)