Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 295454 - sys-libs/nss-db causes open_wr errors on database files and should be added to SANDBOX_PREDICT
Summary: sys-libs/nss-db causes open_wr errors on database files and should be added t...
Status: RESOLVED WONTFIX
Alias: None
Product: Portage Development
Classification: Unclassified
Component: Sandbox (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Robin Johnson
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2009-12-02 15:14 UTC by Doug Warner
Modified: 2016-03-04 16:47 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---
robbat2: Bugday+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Doug Warner 2009-12-02 15:14:46 UTC
This seems very similar to bug#92079, but somewhere along the way the config seems to have disappeared.

I've created a file: /etc/sandbox.d/10nss-db
With the following contents:
SANDBOX_PREDICT="/var/db/aliases.db:/var/db/netgroup.db:/var/db/netmasks.db:/var/db/ethers.db:/var/db/rpc.db:/var/db/protocols.db:/var/db/services.db:/var/db/networks.db:/var/db/hosts.db:/var/db/group.db:/var/db/passwd.db"

Without this, I get errors like this when compiling packages (and nsswitch.conf references the db files):
>>> Emerging (4 of 8) dev-lang/ruby-1.8.7_p174-r1
 * ruby-patches-1.8.7_p174.tar.bz2 RMD160 SHA1 SHA256 size ;-) ...            [ ok ]
 * ruby-1.8.7-p174.tar.bz2 RMD160 SHA1 SHA256 size ;-) ...                    [ ok ]
 * checking ebuild checksums ;-) ...                                          [ ok ]
 * checking auxfile checksums ;-) ...                                         [ ok ]
 * checking miscfile checksums ;-) ...                                        [ ok ]
>>> Unpacking source...
>>> Unpacking ruby-patches-1.8.7_p174.tar.bz2 to /var/tmp/portage/dev-lang/ruby-1.8.7_p174-r1/work
ACCESS DENIED  open_wr:      /var/db/passwd.db
/var/db/passwd.db: Permission denied
ACCESS DENIED  open_wr:      /var/db/group.db
/var/db/group.db: Permission denied
>>> Unpacking ruby-1.8.7-p174.tar.bz2 to /var/tmp/portage/dev-lang/ruby-1.8.7_p174-r1/work
 * Applying various patches (bugfixes/updates) ...
 *   001_memory_leak.patch ...                                                 [ ok ]
 *   002_mkconfig.patch ...                                                    [ ok ]
 *   003_mkmf-parallel-install.patch ...                                       [ ok ]
 * Done with patching
 * Running eautoreconf in '/var/tmp/portage/dev-lang/ruby-1.8.7_p174-r1/work/ruby-1.8.7-p174' ...
 * Running aclocal ...                                                         [ ok ]
 * Running autoconf ...                                                        [ ok ]
>>> Source unpacked in /var/tmp/portage/dev-lang/ruby-1.8.7_p174-r1/work
--------------------------- ACCESS VIOLATION SUMMARY ---------------------------
LOG FILE "/var/log/sandbox/sandbox-4224.log"

VERSION 1.0
FORMAT: F - Function called
FORMAT: S - Access Status
FORMAT: P - Path as passed to function
FORMAT: A - Absolute Path (not canonical)
FORMAT: R - Canonical Path
FORMAT: C - Command Line

F: open_wr
S: deny
P: /var/db/passwd.db
A: /var/db/passwd.db
R: /var/db/passwd.db
C: tar xof - 

F: open_wr
S: deny
P: /var/db/group.db
A: /var/db/group.db
R: /var/db/group.db
C: tar xof - 
--------------------------------------------------------------------------------


Reproducible: Always

Steps to Reproduce:
Comment 1 SpanKY gentoo-dev 2009-12-02 22:10:16 UTC
sandbox is not catering to stupid apps any longer

nss-db should be fixed to stop opening these files with write perms when they arent needed.  if it isnt, then that ebuild can take care of adding a sandbox.d file.
Comment 2 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2009-12-03 02:56:43 UTC
nss-db DOES ask for it to be readonly in the main codepath:
db-open.c:57:  err = db_open (file, DB_BTREE, DB_RDONLY, 0, NULL, NULL, &db);

So either DB itself isn't doing it properly, or something else is broken.

Can you give me a backtrace in nss-db where sandbox is actually intercepting it?
Comment 3 SpanKY gentoo-dev 2009-12-04 06:38:54 UTC
i dont use nss-db nor do i know how.  if you want traces/errors, just look at what the user is providing and/or try it on your system.

although the reporter seems to have forgotten to post the info required in every report -- `emerge --info` and what version of nss-db he is using.
Comment 4 Doug Warner 2009-12-07 21:05:44 UTC
Here's "the reporter's" information that was requested:

# emerge --info
Portage 2.1.6.13 (default/linux/x86/10.0, gcc-3.4.6, glibc-2.3.6-r4, 2.6.15-gentoo-r1 i686)
=================================================================
System uname: Linux-2.6.15-gentoo-r1-i686-Intel-R-_Xeon-TM-_CPU_2.80GHz-with-glibc2.0
Timestamp of tree: Wed, 02 Dec 2009 15:25:01 +0000
app-shells/bash:     3.2_p33
dev-lang/python:     2.5.2-r7
dev-python/pycrypto: 2.0.1-r6
sys-apps/baselayout: 1.12.11.1
sys-apps/sandbox:    1.6-r2
sys-devel/autoconf:  2.13, 2.61-r2
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10.1-r1
sys-devel/binutils:  2.18-r3
sys-devel/gcc-config: 1.3.13-r3
sys-devel/libtool:   1.5.26
virtual/os-headers:  2.6.11-r2
ACCEPT_KEYWORDS="x86"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2 -march=pentium4 -pipe -fomit-frame-pointer"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/udev/rules.d"
CXXFLAGS="-O2 -march=pentium4 -pipe -fomit-frame-pointer"
DISTDIR="/usr/portage/distfiles"
FEATURES="distlocks fixpackages parallel-fetch protect-owned sandbox sfperms strict unmerge-orphans userfetch"
GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/linux/distributions/gentoo"
LDFLAGS="-Wl,-O1"
MAKEOPTS="-j4"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/var/svnexport/server_overlay"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="acl berkdb bzip2 cli cracklib crypt cups dri fortran gdbm gpm iconv ipv6 modules mudflap mysql ncurses nls nptl nptlonly openmp pam pcre perl pppd python readline reflection session snmp spl ssl sysfs tcpd unicode x86 xorg zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1 emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="fbdev glint intel mach64 mga neomagic nv r128 radeon savage sis tdfx trident vesa vga via vmware voodoo"
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LANG, LC_ALL, LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS


# equery l nss-db
[I--] [ ~] sys-libs/nss-db-2.2.3_pre1-r2 (0)

Comment 5 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2010-03-30 22:31:23 UTC
bugday: some knowledge of C might be needed
Comment 6 Pacho Ramos gentoo-dev 2016-02-20 17:18:40 UTC
removed