I can't emerge ffmpeg because grsec denies exex in group-writable directory: [93344.227961] grsec: From 62.121.127.119: denied untrusted exec (due to file in group-writable directory) of /var/tmp/portage/media-video/ffmpeg-0.10.3/temp/ffconf.Pvn4e19m.sh by /var/tmp/portage/media-video/ffmpeg-0.10.3/temp/ffconf.Pvn4e19m.sh[configure:23372] uid/euid:250/250 gid/egid:250/250, parent /var/tmp/portage/media-video/ffmpeg-0.10.3/work/ffmpeg-0.10.3/configure[configure:22898] uid/euid:250/250 gid/egid:250/250 I'm not sure if it should be fixed by me (configuring grsec) or it should be fixed by build system (changing permissions). # zgrep -i grkern /proc/config.gz |grep -v "^#"|sort CONFIG_GRKERNSEC_ACL_MAXTRIES=3 CONFIG_GRKERNSEC_ACL_TIMEOUT=30 CONFIG_GRKERNSEC_AUDIT_MOUNT=y CONFIG_GRKERNSEC_BLACKHOLE=y CONFIG_GRKERNSEC_BRUTE=y CONFIG_GRKERNSEC_CHROOT_CAPS=y CONFIG_GRKERNSEC_CHROOT_CHDIR=y CONFIG_GRKERNSEC_CHROOT_CHMOD=y CONFIG_GRKERNSEC_CHROOT_DOUBLE=y CONFIG_GRKERNSEC_CHROOT_FCHDIR=y CONFIG_GRKERNSEC_CHROOT_FINDTASK=y CONFIG_GRKERNSEC_CHROOT_MKNOD=y CONFIG_GRKERNSEC_CHROOT_MOUNT=y CONFIG_GRKERNSEC_CHROOT_NICE=y CONFIG_GRKERNSEC_CHROOT_PIVOT=y CONFIG_GRKERNSEC_CHROOT_SHMAT=y CONFIG_GRKERNSEC_CHROOT_SYSCTL=y CONFIG_GRKERNSEC_CHROOT_UNIX=y CONFIG_GRKERNSEC_CHROOT=y CONFIG_GRKERNSEC_CONFIG_CUSTOM=y CONFIG_GRKERNSEC_DMESG=y CONFIG_GRKERNSEC_FIFO=y CONFIG_GRKERNSEC_FLOODBURST=8 CONFIG_GRKERNSEC_FLOODTIME=8 CONFIG_GRKERNSEC_FORKFAIL=y CONFIG_GRKERNSEC_HARDEN_PTRACE=y CONFIG_GRKERNSEC_HIDESYM=y CONFIG_GRKERNSEC_IO=y CONFIG_GRKERNSEC_KMEM=y CONFIG_GRKERNSEC_LINK=y CONFIG_GRKERNSEC_MODHARDEN=y CONFIG_GRKERNSEC_PROC_ADD=y CONFIG_GRKERNSEC_PROC_IPADDR=y CONFIG_GRKERNSEC_PROC_MEMMAP=y CONFIG_GRKERNSEC_PROC_USER=y CONFIG_GRKERNSEC_PROC=y CONFIG_GRKERNSEC_PTRACE_READEXEC=y CONFIG_GRKERNSEC_RANDNET=y CONFIG_GRKERNSEC_RESLOG=y CONFIG_GRKERNSEC_RWXMAP_LOG=y CONFIG_GRKERNSEC_SETXID=y CONFIG_GRKERNSEC_SIGNAL=y CONFIG_GRKERNSEC_SYSCTL_ON=y CONFIG_GRKERNSEC_SYSCTL=y CONFIG_GRKERNSEC_SYSFS_RESTRICT=y CONFIG_GRKERNSEC_TIME=y CONFIG_GRKERNSEC_TPE_ALL=y CONFIG_GRKERNSEC_TPE_GID=55556 CONFIG_GRKERNSEC_TPE=y CONFIG_GRKERNSEC=y Reproducible: Always # emerge --info FEATURES variable contains unknown value(s): Xfail-clean, Xkeepwork, Xprofile, Xsplitdebug, Xtest, profile-use Error during set creation: Could not import 'smartliverebuild.sets.SmartLiveRebuildSet' for section 'smart-live-rebuild' Portage 2.2.0_alpha136 (hardened/linux/amd64, gcc-4.5.4, glibc-2.15-r2, 3.5.5-hardened x86_64) ================================================================= System uname: Linux-3.5.5-hardened-x86_64-Intel-R-_Core-TM-_i7_CPU_930_@_2.80GHz-with-gentoo-2.1 Timestamp of tree: Tue, 09 Oct 2012 08:00:01 +0000 ccache version 3.1.7 [enabled] app-shells/bash: 4.2_p37 dev-lang/python: 2.7.3-r2, 3.2.3 dev-util/ccache: 3.1.7 dev-util/cmake: 2.8.9 dev-util/pkgconfig: 0.27.1 sys-apps/baselayout: 2.1-r1 sys-apps/openrc: 0.9.8.4 sys-apps/sandbox: 2.5 sys-devel/autoconf: 2.68 sys-devel/automake: 1.11.6 sys-devel/binutils: 2.22-r1 sys-devel/gcc: 4.5.4 sys-devel/gcc-config: 1.7.3 sys-devel/libtool: 2.4-r1 sys-devel/make: 3.82-r3 sys-kernel/linux-headers: 3.4-r2 (virtual/os-headers) sys-libs/glibc: 2.15-r2 Repositories: gentoo rion ACCEPT_KEYWORDS="amd64" ACCEPT_LICENSE="* -@EULA" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=native -O2 -pipe -fpeel-loops -fgraphite-identity -floop-interchange -floop-block -floop-strip-mine -fira-loop-pressure -fpredictive-commoning -freorder-blocks-and-partition -ftracer -ftree-vectorize --param l2-cache-size=128 --param l1-cache-size=16 --param l1-cache-line-size=32" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/gnupg/qualified.txt /usr/share/openvpn/easy-rsa /var/bind" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/php/apache2-php5.3/ext-active/ /etc/php/cgi-php5.3/ext-active/ /etc/php/cli-php5.3/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo" CXXFLAGS="-march=native -O2 -pipe -fpeel-loops -fgraphite-identity -floop-interchange -floop-block -floop-strip-mine -fira-loop-pressure -fpredictive-commoning -freorder-blocks-and-partition -ftracer -ftree-vectorize --param l2-cache-size=128 --param l1-cache-size=16 --param l1-cache-line-size=32" DISTDIR="/usr/portage/distfiles" EMERGE_DEFAULT_OPTS=" --quiet-build=n" FCFLAGS="-O2 -pipe" FEATURES="Xfail-clean Xkeepwork Xprofile Xsplitdebug Xtest assume-digests binpkg-logs ccache collision-protect config-protect-if-modified distlocks ebuild-locks fixlafiles news parallel-fetch preserve-libs profile-use protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr" FFLAGS="-O2 -pipe" GENTOO_MIRRORS="http://gentoo.mneisen.org/" LANG="pl_PL.utf8" LDFLAGS="-Wl,-O1 -Wl,--as-needed" LINGUAS="pl en" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_EXTRA_OPTS="-O" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/var/lib/layman/rion" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="acpi amd64 apache2 bash-completion caps hardened idn iproute2 ipv6 mmap mmx mmxext modules multilib nls openmp openssl smp sse sse2 sse3 sse4 sse4a ssse3 syslog threads threadsafe unicode urandom vhosts vim-syntax xtpax" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon auth_digest authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user cache cgid dav dav_fs dav_lock dir env expires ext_filter filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif status unique_id usertrack vhost_alias" APACHE2_MPMS="prefork" CURL_SSL="openssl" ELIBC="glibc" KERNEL="linux" LINGUAS="pl en" NGINX_MODULES_HTTP="access browser charset gzip map limit_zone proxy rewrite stub_status" PHP_TARGETS="php5-3" PYTHON_TARGETS="python3_2" USERLAND="GNU" XTABLES_ADDONS="geoip psd sysrq tarpit" Unset: CPPFLAGS, CTARGET, INSTALL_MASK, LC_ALL, MAKEOPTS, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, USE_PYTHON
Sorry for the delay in responding. Take a look at http://www.gentoo.org/proj/en/hardened/grsec-tpe.xml TPE is causing the issue, but since this is an build time issue, it may be possible for the ebuild/build system to remove world writeable permissions and get past this. Although the world writeable directory is ephemeral (gone once emerge is done) there is no way whitelist for TPE. Turning off TPE globally is wrong since it means relaxing an important security feature. I'll pass this along to media-video@
In recent versions, if you have FEATURES="userpriv", I think you get essentially the same problem, except that it's caught with a nicer error message in the configure stage. >>> Configuring source in /var/tmp/portage/media-video/ffmpeg-0.10.7/work/ffmpeg-0.10.7 ... Unable to create and execute files in /var/tmp/portage/media-video/ffmpeg-0.10.7/temp. Set the TMPDIR environment variable to another directory and make sure that it is not mounted noexec. Sanity test failed I'm pretty clueless about this aspect of portage, but it looks like the choices here would be to use a temporary directory in "work" instead of "temp", making "temp" not group-writeable, or creating a subdirectory in "temp" that's not group-writeable.
*** Bug 491582 has been marked as a duplicate of this bug. ***
This bug should be solved by the fix in bug #519566
This should be fixed now with portage-2.2.15. Can you test the original issue and reopen if its still a problem.
