Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 437732 - media-video/ffmpeg-1.0.7 can't install ffmpeg due to grsec restrictions
Summary: media-video/ffmpeg-1.0.7 can't install ffmpeg due to grsec restrictions
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Hardened (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Media-video project
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2012-10-09 14:52 UTC by Marcin Mirosław
Modified: 2015-02-15 13:33 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Marcin Mirosław 2012-10-09 14:52:20 UTC
I can't emerge ffmpeg because grsec denies exex in group-writable directory:
[93344.227961] grsec: From 62.121.127.119: denied untrusted exec (due to file in group-writable directory) of /var/tmp/portage/media-video/ffmpeg-0.10.3/temp/ffconf.Pvn4e19m.sh by /var/tmp/portage/media-video/ffmpeg-0.10.3/temp/ffconf.Pvn4e19m.sh[configure:23372] uid/euid:250/250 gid/egid:250/250, parent /var/tmp/portage/media-video/ffmpeg-0.10.3/work/ffmpeg-0.10.3/configure[configure:22898] uid/euid:250/250 gid/egid:250/250

I'm not sure if it should be fixed by me (configuring grsec) or it should be fixed by build system (changing permissions).

# zgrep -i grkern /proc/config.gz |grep -v "^#"|sort
CONFIG_GRKERNSEC_ACL_MAXTRIES=3
CONFIG_GRKERNSEC_ACL_TIMEOUT=30
CONFIG_GRKERNSEC_AUDIT_MOUNT=y
CONFIG_GRKERNSEC_BLACKHOLE=y
CONFIG_GRKERNSEC_BRUTE=y
CONFIG_GRKERNSEC_CHROOT_CAPS=y
CONFIG_GRKERNSEC_CHROOT_CHDIR=y
CONFIG_GRKERNSEC_CHROOT_CHMOD=y
CONFIG_GRKERNSEC_CHROOT_DOUBLE=y
CONFIG_GRKERNSEC_CHROOT_FCHDIR=y
CONFIG_GRKERNSEC_CHROOT_FINDTASK=y
CONFIG_GRKERNSEC_CHROOT_MKNOD=y
CONFIG_GRKERNSEC_CHROOT_MOUNT=y
CONFIG_GRKERNSEC_CHROOT_NICE=y
CONFIG_GRKERNSEC_CHROOT_PIVOT=y
CONFIG_GRKERNSEC_CHROOT_SHMAT=y
CONFIG_GRKERNSEC_CHROOT_SYSCTL=y
CONFIG_GRKERNSEC_CHROOT_UNIX=y
CONFIG_GRKERNSEC_CHROOT=y
CONFIG_GRKERNSEC_CONFIG_CUSTOM=y
CONFIG_GRKERNSEC_DMESG=y
CONFIG_GRKERNSEC_FIFO=y
CONFIG_GRKERNSEC_FLOODBURST=8
CONFIG_GRKERNSEC_FLOODTIME=8
CONFIG_GRKERNSEC_FORKFAIL=y
CONFIG_GRKERNSEC_HARDEN_PTRACE=y
CONFIG_GRKERNSEC_HIDESYM=y
CONFIG_GRKERNSEC_IO=y
CONFIG_GRKERNSEC_KMEM=y
CONFIG_GRKERNSEC_LINK=y
CONFIG_GRKERNSEC_MODHARDEN=y
CONFIG_GRKERNSEC_PROC_ADD=y
CONFIG_GRKERNSEC_PROC_IPADDR=y
CONFIG_GRKERNSEC_PROC_MEMMAP=y
CONFIG_GRKERNSEC_PROC_USER=y
CONFIG_GRKERNSEC_PROC=y
CONFIG_GRKERNSEC_PTRACE_READEXEC=y
CONFIG_GRKERNSEC_RANDNET=y
CONFIG_GRKERNSEC_RESLOG=y
CONFIG_GRKERNSEC_RWXMAP_LOG=y
CONFIG_GRKERNSEC_SETXID=y
CONFIG_GRKERNSEC_SIGNAL=y
CONFIG_GRKERNSEC_SYSCTL_ON=y
CONFIG_GRKERNSEC_SYSCTL=y
CONFIG_GRKERNSEC_SYSFS_RESTRICT=y
CONFIG_GRKERNSEC_TIME=y
CONFIG_GRKERNSEC_TPE_ALL=y
CONFIG_GRKERNSEC_TPE_GID=55556
CONFIG_GRKERNSEC_TPE=y
CONFIG_GRKERNSEC=y


Reproducible: Always




# emerge --info
FEATURES variable contains unknown value(s): Xfail-clean, Xkeepwork, Xprofile, Xsplitdebug, Xtest, profile-use
Error during set creation: Could not import 'smartliverebuild.sets.SmartLiveRebuildSet' for section 'smart-live-rebuild'
Portage 2.2.0_alpha136 (hardened/linux/amd64, gcc-4.5.4, glibc-2.15-r2, 3.5.5-hardened x86_64)
=================================================================
System uname: Linux-3.5.5-hardened-x86_64-Intel-R-_Core-TM-_i7_CPU_930_@_2.80GHz-with-gentoo-2.1
Timestamp of tree: Tue, 09 Oct 2012 08:00:01 +0000
ccache version 3.1.7 [enabled]
app-shells/bash:          4.2_p37
dev-lang/python:          2.7.3-r2, 3.2.3
dev-util/ccache:          3.1.7
dev-util/cmake:           2.8.9
dev-util/pkgconfig:       0.27.1
sys-apps/baselayout:      2.1-r1
sys-apps/openrc:          0.9.8.4
sys-apps/sandbox:         2.5
sys-devel/autoconf:       2.68
sys-devel/automake:       1.11.6
sys-devel/binutils:       2.22-r1
sys-devel/gcc:            4.5.4
sys-devel/gcc-config:     1.7.3
sys-devel/libtool:        2.4-r1
sys-devel/make:           3.82-r3
sys-kernel/linux-headers: 3.4-r2 (virtual/os-headers)
sys-libs/glibc:           2.15-r2
Repositories: gentoo rion
ACCEPT_KEYWORDS="amd64"
ACCEPT_LICENSE="* -@EULA"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=native -O2 -pipe         -fpeel-loops    -fgraphite-identity -floop-interchange -floop-block -floop-strip-mine -fira-loop-pressure       -fpredictive-commoning -freorder-blocks-and-partition -ftracer -ftree-vectorize       --param l2-cache-size=128 --param l1-cache-size=16 --param l1-cache-line-size=32"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/gnupg/qualified.txt /usr/share/openvpn/easy-rsa /var/bind"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/php/apache2-php5.3/ext-active/ /etc/php/cgi-php5.3/ext-active/ /etc/php/cli-php5.3/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo"
CXXFLAGS="-march=native -O2 -pipe       -fpeel-loops    -fgraphite-identity -floop-interchange -floop-block -floop-strip-mine -fira-loop-pressure       -fpredictive-commoning -freorder-blocks-and-partition -ftracer -ftree-vectorize       --param l2-cache-size=128 --param l1-cache-size=16 --param l1-cache-line-size=32"
DISTDIR="/usr/portage/distfiles"
EMERGE_DEFAULT_OPTS=" --quiet-build=n"
FCFLAGS="-O2 -pipe"
FEATURES="Xfail-clean Xkeepwork Xprofile Xsplitdebug Xtest assume-digests binpkg-logs ccache collision-protect config-protect-if-modified distlocks ebuild-locks fixlafiles news parallel-fetch preserve-libs profile-use protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr"
FFLAGS="-O2 -pipe"
GENTOO_MIRRORS="http://gentoo.mneisen.org/"
LANG="pl_PL.utf8"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
LINGUAS="pl en"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_EXTRA_OPTS="-O"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/var/lib/layman/rion"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="acpi amd64 apache2 bash-completion caps hardened idn iproute2 ipv6 mmap mmx mmxext modules multilib nls openmp openssl smp sse sse2 sse3 sse4 sse4a ssse3 syslog threads threadsafe unicode urandom vhosts vim-syntax xtpax" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon auth_digest authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user cache cgid dav dav_fs dav_lock dir env expires ext_filter filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif status unique_id usertrack vhost_alias" APACHE2_MPMS="prefork" CURL_SSL="openssl" ELIBC="glibc" KERNEL="linux" LINGUAS="pl en" NGINX_MODULES_HTTP="access browser charset gzip map limit_zone proxy rewrite stub_status" PHP_TARGETS="php5-3" PYTHON_TARGETS="python3_2" USERLAND="GNU" XTABLES_ADDONS="geoip psd sysrq tarpit"
Unset:  CPPFLAGS, CTARGET, INSTALL_MASK, LC_ALL, MAKEOPTS, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, USE_PYTHON
Comment 1 Anthony Basile gentoo-dev 2013-03-15 13:46:19 UTC
Sorry for the delay in responding.  Take a look at

    http://www.gentoo.org/proj/en/hardened/grsec-tpe.xml

TPE is causing the issue, but since this is an build time issue, it may be possible for the ebuild/build system to remove world writeable permissions and get past this.  Although the world writeable directory is ephemeral (gone once emerge is done) there is no way whitelist for TPE.  Turning off TPE globally is wrong since it means relaxing an important security feature.

I'll pass this along to media-video@
Comment 2 Sean Santos 2013-04-14 04:52:43 UTC
In recent versions, if you have FEATURES="userpriv", I think you get essentially the same problem, except that it's caught with a nicer error message in the configure stage.


>>> Configuring source in /var/tmp/portage/media-video/ffmpeg-0.10.7/work/ffmpeg-0.10.7 ...
Unable to create and execute files in /var/tmp/portage/media-video/ffmpeg-0.10.7/temp.  Set the TMPDIR environment
variable to another directory and make sure that it is not mounted noexec.
Sanity test failed


I'm pretty clueless about this aspect of portage, but it looks like the choices here would be to use a temporary directory in "work" instead of "temp", making "temp" not group-writeable, or creating a subdirectory in "temp" that's not group-writeable.
Comment 3 Mike Gilbert gentoo-dev 2013-11-27 01:31:56 UTC
*** Bug 491582 has been marked as a duplicate of this bug. ***
Comment 4 Anthony Basile gentoo-dev 2014-10-17 21:31:03 UTC
This bug should be solved by the fix in bug #519566
Comment 5 Anthony Basile gentoo-dev 2015-02-15 13:33:49 UTC
This should be fixed now with portage-2.2.15.  Can you test the original issue and reopen if its still a problem.