Comment 1 Jeroen Roovers (RETIRED) 2013-05-21 14:35:39 UTC

1) Please post your `emerge --info' output in a comment.
2) Please attach the entire build log to this bug report.

Created attachment 348864 [details]
build.log

> emerge --info hexchat

Portage 2.1.11.62 (hardened/linux/amd64/no-multilib/selinux, gcc-4.6.3, glibc-2.15-r3, 3.8.6-hardened x86_64)
=================================================================
                         System Settings
=================================================================
System uname: Linux-3.8.6-hardened-x86_64-AMD_E-350_Processor-with-gentoo-2.2
KiB Mem:     3634896 total,   2542432 free
KiB Swap:    4194300 total,   4194300 free
Timestamp of tree: Sun, 19 May 2013 23:45:01 +0000
ld GNU ld (GNU Binutils) 2.22
app-shells/bash:          4.2_p45
dev-lang/python:          2.7.3-r3, 3.2.3-r2
dev-util/cmake:           2.8.10.2-r2
dev-util/pkgconfig:       0.28
sys-apps/baselayout:      2.2
sys-apps/openrc:          0.11.8
sys-apps/sandbox:         2.5
sys-devel/autoconf:       2.13, 2.69
sys-devel/automake:       1.10.3, 1.11.6, 1.12.6
sys-devel/binutils:       2.22-r1
sys-devel/gcc:            4.6.3, 4.7.3
sys-devel/gcc-config:     1.7.3
sys-devel/libtool:        2.4-r1
sys-devel/make:           3.82-r4
sys-kernel/linux-headers: 3.7 (virtual/os-headers)
sys-libs/glibc:           2.15-r3
Repositories: gentoo x-local_overlay
ACCEPT_KEYWORDS="amd64"
ACCEPT_LICENSE="@FREE freedist CC-BY-ND-3.0 CC-Sampling-Plus-1.0 openpbs"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-O2 -pipe -march=btver1 -ftree-vectorize -ggdb"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/gnupg/qualified.txt /var/spool/torque"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/dconf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c"
CXXFLAGS="-O2 -pipe -march=btver1 -ftree-vectorize -ggdb"
DISTDIR="/usr/portage/distfiles"
FCFLAGS="-O2 -pipe -march=btver1 -ftree-vectorize -ggdb -floop-interchange -floop-block -fgraphite-identity --param loop-block-tile-size=8"
FEATURES="assume-digests binpkg-logs candy collision-protect compressdebug config-protect-if-modified distlocks ebuild-locks fixlafiles merge-sync multilib-strict news parallel-fetch protect-owned sandbox selinux sesandbox sfperms splitdebug strict stricter test unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr"
FFLAGS="-O2 -pipe -march=btver1 -ftree-vectorize -ggdb -floop-interchange -floop-block -fgraphite-identity --param loop-block-tile-size=8"
GENTOO_MIRRORS="ftp://mirror.mcs.anl.gov/pub/gentoo/ ftp://ftp.gtlib.gatech.edu/pub/gentoo ftp://lug.mtu.edu/gentoo/ http://gentoo.osuosl.org/ ftp://mirrors.rit.edu/gentoo/ ftp://mirror.iawnet.sandia.gov/pub/gentoo/ ftp://ftp.ucsb.edu/pub/mirrors/linux/gentoo/ ftp://ftp.lug.udel.edu/pub/gentoo/ ftp://gentoo.cites.uiuc.edu/pub/gentoo/ http://gentoo.cs.uni.edu/ http://mirror.usu.edu/mirrors/gentoo/ ftp://ftp.wallawalla.edu/pub/mirrors/ftp.gentoo.org"
LANG="en_US.UTF-8"
LDFLAGS="-Wl,-O1 -Wl,--as-needed -Wl,--hash-style=gnu"
MAKEOPTS="-j2"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/var/lib/local_overlay"
SYNC="rsync://rsync.us.gentoo.org/gentoo-portage"
USE="3dnow X a52 aac acpi alsa amd64 avahi bash-completion berkdb blas bluetooth branding bzip2 cairo cdda cdr cjk cli colord consolekit cracklib crypt cups cxx dbus dri dts dvd dvdr eds emacs emboss encode evo exif fam fftw firefox flac fortran gdbm gif gimp gnome gnome-keyring gnome-online-accounts gnutls gpm gstreamer gtk hardened iconv icu idn ipv6 jpeg justify lapack latex lcms ldap libnotify lm_sensors mad mime mmx mng modules mp3 mp4 mpeg mpi mtp mudflap nautilus ncurses netcdf networkmanager nls nptl offensive ogg open_perms opengl openmp pam pango pax_kernel pcre pdf png policykit ppds pulseaudio qt3support qt4 readline sasl sdl selinux session slp smp socialweb sound spell sse sse2 sse3 ssl startup-notification subversion svg symlink tcpd threads tiff truetype udev udisks unicode upower urandom usb v4l videos vorbis wifi wxwidgets x264 xattr xcb xft xinerama xml xv xvid zeroconf zlib" ABI_X86="64" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump author" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="evdev synaptics wacom" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" LINGUAS="en_US en es_MX es zh_CN zh" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php5-3" PYTHON_SINGLE_TARGET="python2_7" PYTHON_TARGETS="python2_7 python3_2" RUBY_TARGETS="ruby18 ruby19" USERLAND="GNU" VIDEO_CARDS="radeon" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, USE_PYTHON

=================================================================
                        Package Settings
=================================================================

net-irc/hexchat-2.9.5 was built with the following:
USE="dbus fastscroll gtk ipv6 libnotify nls plugins spell ssl -libproxy -ntlm -perl -plugin-checksum -plugin-doat -plugin-fishlim -plugin-sysinfo -python -theme-manager" PYTHON_SINGLE_TARGET="python2_7 -python2_5 -python2_6" PYTHON_TARGETS="python2_7 -python2_5 -python2_6"

grsec.log entry:

grsec: denied untrusted exec (due to file in group-writable directory) of /var/tmp/portage/net-irc/hexchat-2.9.5/temp/gettextize by /var/tmp/portage/net-irc/hexchat-2.9.5/temp/gettextize[ebuild.sh:2726] uid/euid:250/250 gid/egid:250/250, parent /usr/lib64/portage/bin/ebuild.sh[ebuild.sh:2636] uid/euid:250/250 gid/egid:250/250

I don't see any reason why execution of scripts in ${T} should be prohibited, so I consider this a hardened bug.

I believe that quite a few eclasses already use scripts from within ${T} including kernel-2.eclass, so I refuse to change this until we have a good reason for that. And in that case, we need to fix the entire tree...

"I don't see any reason why execution of scripts in ${T} should be prohibited, so I consider this a hardened bug."

The feature here is to prohibit execution of scripts in any group-writable directory, as this is a potential security issue, and it's working exactly as advertised.

The feature is either supported or it isn't, but either way there's no actual bug in the hardened packages. I'm not actually sure why ${T} is group-writable, so that seems more like an issue with portage itself (but maybe there is some good reason for this that I can't think of).

"I believe that quite a few eclasses already use scripts from within ${T} including kernel-2.eclass, so I refuse to change this until we have a good reason for that. And in that case, we need to fix the entire tree..."

Well, I did forget to mention the simplest solution, which is just to *create* a directory in ${T} with the correct permissions, and execute the script from there.

I wouldn't know about kernel-2 specifically, but most packages are fine for me, so they must handle this one way or another. The whole point of filing bugs like this is "to fix the entire tree", which I think is less work than it sounds...

Comment 6 Zac Medico 2013-05-22 17:44:56 UTC

As I've explained in bug #462136, comment #2, the portage group is considered "trusted" in this context. So, can't you configure grsec to trust this group?

No, marking "portage" as a trusted group will not work, and this is the point that confused the user in bug #462136.

There are two independent types of Trusted Path Execution here, a strict but narrow one that applies to everyone in (or not in) a specified group, and a less strict one that applies to everyone but root. The latter is the one we're talking about.

Just so we're clear here, you are saying that, while something is building, any user in group "portage" is allowed to swap out a script that will then be executed by the process doing the build. (Unless they are prohibited by some other advanced access control feature, e.g. SELinux.)

I would have to chew on that a bit. It seems that this could be used by anyone in group "portage" to do fairly arbitrary things. (Even with FEATURES="userpriv", they can still potentially modify whatever is being installed.) In this scenario, you'd have to trust the "portage" group at a similar level to (more than?) "wheel".

Comment 8 Zac Medico 2013-05-22 21:32:46 UTC

(In reply to comment #7)
> Just so we're clear here, you are saying that, while something is building,
> any user in group "portage" is allowed to swap out a script that will then
> be executed by the process doing the build. (Unless they are prohibited by
> some other advanced access control feature, e.g. SELinux.)

Yes, but the "portage" group is a "user private group" by default. So, with default configuration, giving write access to the "portage" group is equivalent to giving access to the "portage" user.

> I would have to chew on that a bit. It seems that this could be used by
> anyone in group "portage" to do fairly arbitrary things. (Even with
> FEATURES="userpriv", they can still potentially modify whatever is being
> installed.) In this scenario, you'd have to trust the "portage" group at a
> similar level to (more than?) "wheel".

Yes. It should remain as a "user private group" in most cases. The administrator should think very carefully before adding any users to this group.

All right. Thanks for the explanation. =)

Anyway, that still leaves the original question. Portage has the temp directory group-writable, and GRKERNSEC_TPE_ALL does not allow you to make an exception for any group or (non-root) user.

If the temp directory has to be group-writable, there are only two possibilities left:

1) Arrange for packages not to execute scripts directly out of ${T} (or ${HOME}?) (my original suggestion).

2) Don't support FEATURES="userpriv" with GRKERNSEC_TPE_ALL.

(As an aside, I think it would be useful if there was a variant of GRKERNSEC_TPE_ALL that applied only to world permissions and ignored group permissions. But since that doesn't exist, it can't solve the issue at hand.)

It would be nice to have this matter settled, because it does come up regularly. See, for example, bug 459754 and bug 437732.

Comment 10 Anthony Basile 2014-10-17 21:29:07 UTC

(In reply to Sean Santos from comment #0)
> There's a fairly common problem here:
> 
> 1) Turning on CONFIG_GRKERNSEC_TPE_ALL prohibits execution of any file in a
> group- or world- writeable directory, except for root.
> 
> 2) When portage is building something, the "temp" directory is
> group-writeable (by the portage group).
> 
> 3) FEATURES="userpriv" drops permissions during a build.
> 
> Therefore, with this combination, all ebuilds that run a script out of temp
> will fail (some other directories, e.g. work, are fine).
> 
> Right now, the hexchat ebuild is trying to run gettextize out of this
> directory, hence the problem.

This bug solved by the fix in #519566, isn't it?

(In reply to Anthony Basile from comment #10)
> (In reply to Sean Santos from comment #0)
> > There's a fairly common problem here:
> > 
> > 1) Turning on CONFIG_GRKERNSEC_TPE_ALL prohibits execution of any file in a
> > group- or world- writeable directory, except for root.
> > 
> > 2) When portage is building something, the "temp" directory is
> > group-writeable (by the portage group).
> > 
> > 3) FEATURES="userpriv" drops permissions during a build.
> > 
> > Therefore, with this combination, all ebuilds that run a script out of temp
> > will fail (some other directories, e.g. work, are fine).
> > 
> > Right now, the hexchat ebuild is trying to run gettextize out of this
> > directory, hence the problem.
> 
> This bug solved by the fix in #519566, isn't it?

I believe so, yes. I have not yet found time to re-emerge all the packages that I found to be affected by #519566.

Comment 12 Anthony Basile 2015-02-15 13:33:40 UTC

This should be fixed now with portage-2.2.15.  Can you test the original issue and reopen if its still a problem.