Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 115651 - sandbox: whitelist /dev/stderr, stdin, stdout
Summary: sandbox: whitelist /dev/stderr, stdin, stdout
Status: RESOLVED FIXED
Alias: None
Product: Portage Development
Classification: Unclassified
Component: Sandbox (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Portage team
URL: http://forums.gentoo.org/viewtopic-t-...
Whiteboard:
Keywords:
Depends on:
Blocks: 115839
  Show dependency tree
 
Reported: 2005-12-15 06:09 UTC by Ed Catmur
Modified: 2024-01-26 12:13 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Ed Catmur 2005-12-15 06:09:35 UTC
As well as the linked URL, there have on the forums been sporadic instances of
ebuilds borking with sandbox vios on /dev/stderr. It's difficult to tell what is
trying to write to /dev/stderr, but adding addwrite /dev/stderr to
/etc/portage/bashrc lets the ebuild complete, suggesting it can't be anything
important.

I suggest sandbox should whitelist /dev/std{in,out,err}. It can't hurt, right?
Comment 1 SpanKY gentoo-dev 2005-12-15 06:50:38 UTC
it isnt sporadic at all, everyone who is seeing /dev/stderr sandbox
errors have not updated their portage tree, the bug has been fixed in
the eclass already
Comment 2 Zac Medico gentoo-dev 2005-12-15 10:16:58 UTC
When I was troubleshooting bug 115434 I noticed that redirection to /dev/stderr
(flag-o-matic.eclass, for example) results in "Permission denied" errors when
FEATURES="userpriv" is enabled (not because of sandbox, but because of dropped
privileges.

This leads me to wonder why flag-o-matic.eclass doesn't use >&2 instead of
>/dev/stderr, since >&2 seems to work with with dropped privileges while
>/dev/stderr does not.
Comment 3 Jason Stubbs (RETIRED) gentoo-dev 2005-12-21 07:54:17 UTC
Apparently there's some kernel magic that redirects /dev/std{in,out,err}.. I kind of wonder what's there when those files are closed. Someone more knowledgeable than me: are these safe to add for the general case?
Comment 4 SpanKY gentoo-dev 2005-12-21 07:57:52 UTC
yes
Comment 5 Jason Stubbs (RETIRED) gentoo-dev 2005-12-21 08:10:32 UTC
Done. :)
Comment 6 Jason Stubbs (RETIRED) gentoo-dev 2005-12-25 00:09:17 UTC
Released in 2.1_pre2.