Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 484472 - sys-apps/portage-2.2.x with sys-kernel/hardened-sources stops working due to: file in group-writable directory of /var/tmp/portage/sys-apps/portage-2.2.1/homedir/ffiguwHOM
Summary: sys-apps/portage-2.2.x with sys-kernel/hardened-sources stops working due to:...
Status: RESOLVED FIXED
Alias: None
Product: Portage Development
Classification: Unclassified
Component: Core (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Portage team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2013-09-10 13:16 UTC by Marcin Mirosław
Modified: 2015-02-15 13:33 UTC (History)
10 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Marcin Mirosław 2013-09-10 13:16:12 UTC
I'm using hardened kernel and this problem can only occur on such kernel. I've installed portage-2.2.1 after that I can't install anythung more. Here is what I have in syslog when I issue `emerge -1 bc`:


2013-09-10T15:13:09.738727+02:00 data-serwer kernel: [12419.203061] grsec: From 192.168.2.1: denied RWX mmap of <anonymous mapping> by /usr/bin/python3.2[emerge:11255] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:11200] uid/euid:0/0 gid/egid:0/0
2013-09-10T15:13:13.648729+02:00 data-serwer kernel: [12423.114745] grsec: From 192.168.2.1: denied RWX mmap of <anonymous mapping> by /usr/bin/python3.2[python3.2:11367] uid/euid:0/0 gid/egid:0/0, parent /usr/bin/python3.2[python3.2:11364] uid/euid:0/0 gid/egid:0/0
2013-09-10T15:13:14.058734+02:00 data-serwer kernel: [12423.526597] grsec: From 192.168.2.1: denied RWX mmap of <anonymous mapping> by /usr/bin/python3.2[python3.2:11391] uid/euid:250/250 gid/egid:250/250, parent /usr/lib64/portage/bin/ebuild.sh[ebuild.sh:11387] uid/euid:250/250 gid/egid:250/250
2013-09-10T15:13:14.058755+02:00 data-serwer kernel: [12423.527741] grsec: From 192.168.2.1: denied untrusted exec (due to file in group-writable directory) of /var/tmp/portage/sys-devel/bc-1.06.95/temp/ffiaqizbx by /usr/bin/python3.2[python3.2:11391] uid/euid:250/250 gid/egid:250/250, parent /usr/lib64/portage/bin/ebuild.sh[ebuild.sh:11387] uid/euid:250/250 gid/egid:250/250
2013-09-10T15:13:14.058756+02:00 data-serwer kernel: [12423.529072] grsec: From 192.168.2.1: denied untrusted exec (due to file in world-writable directory) of /var/tmp/ffivHk2cc by /usr/bin/python3.2[python3.2:11391] uid/euid:250/250 gid/egid:250/250, parent /usr/lib64/portage/bin/ebuild.sh[ebuild.sh:11387] uid/euid:250/250 gid/egid:250/250
2013-09-10T15:13:14.068722+02:00 data-serwer kernel: [12423.530845] grsec: From 192.168.2.1: denied untrusted exec (due to file in group-writable directory) of /var/tmp/portage/sys-devel/bc-1.06.95/homedir/ffiwHU8eR by /usr/bin/python3.2[python3.2:11391] uid/euid:250/250 gid/egid:250/250, parent /usr/lib64/portage/bin/ebuild.sh[ebuild.sh:11387] uid/euid:250/250 gid/egid:250/250
2013-09-10T15:13:14.068735+02:00 data-serwer kernel: [12423.533171] python3.2[11391]: segfault at 6100000069 ip 000002d124cc7b50 sp 000003e2455ed660 error 4 in _ctypes.cpython-32.so[2d124cb7000+1a000]
2013-09-10T15:13:14.068737+02:00 data-serwer kernel: [12423.533563] grsec: From 192.168.2.1: Segmentation fault occurred at 0000006100000069 in /usr/bin/python3.2[python3.2:11391] uid/euid:250/250 gid/egid:250/250, parent /usr/lib64/portage/bin/ebuild.sh[ebuild.sh:11387] uid/euid:250/250 gid/egid:250/250
2013-09-10T15:13:14.068737+02:00 data-serwer kernel: [12423.534247] grsec: more alerts, logging disabled for 10 seconds
2013-09-10T15:13:14.538750+02:00 data-serwer kernel: [12424.006594] python3.2[11473]: segfault at 6100000069 ip 000002a551964b50 sp 000003ca328bca00 error 4 in _ctypes.cpython-32.so[2a551954000+1a000]
Comment 1 Marcin Mirosław 2013-09-10 13:18:49 UTC
# emerge --info
Portage 2.2.1 (hardened/linux/amd64, gcc-4.6.3, glibc-2.15-r3, 3.9.5-hardened x86_64)
=================================================================
System uname: Linux-3.9.5-hardened-x86_64-Intel_Xeon_E312xx_-Sandy_Bridge-with-gentoo-2.2
KiB Mem:      996272 total,    189692 free
KiB Swap:    1048572 total,   1035704 free
Timestamp of tree: Tue, 10 Sep 2013 04:15:01 +0000
ld GNU gold (GNU Binutils 2.23.1) 1.11
ccache version 3.1.9 [enabled]
app-shells/bash:          4.2_p45
dev-lang/python:          2.7.5-r2, 3.2.5-r2
dev-util/ccache:          3.1.9
dev-util/pkgconfig:       0.28
sys-apps/baselayout:      2.2
sys-apps/openrc:          0.11.8
sys-apps/sandbox:         2.6-r1
sys-devel/autoconf:       2.69
sys-devel/automake:       1.12.6
sys-devel/binutils:       2.23.1
sys-devel/gcc:            4.6.3
sys-devel/gcc-config:     1.7.3
sys-devel/libtool:        2.4-r1
sys-devel/make:           3.82-r4
sys-kernel/linux-headers: 3.9 (virtual/os-headers)
sys-libs/glibc:           2.15-r3
Repositories: gentoo
ACCEPT_KEYWORDS="amd64"
ACCEPT_LICENSE="* -@EULA"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-O2 -pipe -march=core2 -mtune=native -frecord-gcc-switches         -fno-unwind-tables -fno-asynchronous-unwind-tables -fpeel-loops         -ftracer"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo"
CXXFLAGS="-O2 -pipe -march=core2 -mtune=native -frecord-gcc-switches         -fno-unwind-tables -fno-asynchronous-unwind-tables -fpeel-loops         -ftracer"
DISTDIR="/usr/portage/distfiles"
FCFLAGS="-O2 -pipe"
FEATURES="assume-digests binpkg-logs ccache collision-protect compressdebug config-protect-if-modified distlocks ebuild-locks fixlafiles merge-sync news parallel-fetch preserve-libs protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr"
FFLAGS="-O2 -pipe"
GENTOO_MIRRORS="http://distfiles.gentoo.org"
LANG="pl_PL.utf8"
LDFLAGS="-Wl,-O1 -Wl,--as-needed -Wl,--sort-common"
MAKEOPTS="-j2"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_EXTRA_OPTS="-O"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY=""
SYNC="rsync://gentoo-mirror.in.xxx.pl/gentoo-portage/"
USE="acl acpi amd64 bash-completion caps cli cracklib crypt cxx dri hardened iconv idn ipv6 justify mmx mmxext modules mudflap multilib ncurses nls nptl openmp pax_kernel pcre readline session sse sse2 sse3 ssse3 threads unicode urandom vhosts vim-syntax xattr" ABI_X86="64" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump author" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php5-5" PYTHON_SINGLE_TARGET="python2_7" PYTHON_TARGETS="python3_2" RUBY_TARGETS="ruby19 ruby18" USERLAND="GNU" VIDEO_CARDS="fbdev glint intel mach64 mga nouveau nv r128 radeon savage sis tdfx trident vesa via vmware dummy v4l" XTABLES_ADDONS="tarpit"
USE_PYTHON="3.2"
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS
Comment 2 Zac Medico gentoo-dev 2013-09-10 16:46:57 UTC
The group writable thing is from the new userpriv and usersandbox FEATURES defaults. You could disable userpriv and usersandbox by adding this to make.conf:

FEATURES="${FEATURES} -userpriv -usersandbox"
Comment 3 Anthony Basile gentoo-dev 2013-09-10 16:49:39 UTC
(In reply to Zac Medico from comment #2)
> The group writable thing is from the new userpriv and usersandbox FEATURES
> defaults. You could disable userpriv and usersandbox by adding this to
> make.conf:
> 
> FEATURES="${FEATURES} -userpriv -usersandbox"

Do you have strict TPE on?  That might be where you're getting this from:

    denied untrusted exec (due to file in group-writable directory)

If so, you can add portage to the wheel group which is the trusted group.
Comment 4 Marcin Mirosław 2013-09-10 20:01:06 UTC
Thanks Zac for such easy workarround, I did it in a little more complicated way:)
Anthony, I'm not sure if I can trust to user "portage" enough to add it to wheel group:) I'm dropping compilation process from user root to user portage for security. If I add portage (I assume I can't trust this user) to group wheel then user portage can e.g. run sudo. Wouldn't it be security hole in "userpriv" engine inside portage? (I'm aware it isn't big hole)
Comment 5 Zac Medico gentoo-dev 2013-09-11 21:26:56 UTC
(In reply to Marcin Mirosław from comment #4)
> Wouldn't it be security hole in "userpriv" engine inside portage? (I'm aware it isn't big hole)

Not really, because the portage user is able to build files that are eventually installed and executed by root.
Comment 6 Norman Shulman 2013-09-12 19:11:03 UTC
(In reply to Anthony Basile from comment #3)
> (In reply to Zac Medico from comment #2)
> > The group writable thing is from the new userpriv and usersandbox FEATURES
> > defaults. You could disable userpriv and usersandbox by adding this to
> > make.conf:
> > 
> > FEATURES="${FEATURES} -userpriv -usersandbox"
> 
> Do you have strict TPE on?

Yes.

>  That might be where you're getting this from:
> 
>     denied untrusted exec (due to file in group-writable directory)
> 
> If so, you can add portage to the wheel group which is the trusted group.

Adding portage to world made a world of difference; thanks!
Comment 7 Marcin Mirosław 2013-09-12 19:26:16 UTC
So if it's not a potential security hole bug can be closed for me. Thanks!
Comment 8 Anthony Basile gentoo-dev 2013-09-12 21:46:30 UTC
(In reply to Marcin Mirosław from comment #7)
> So if it's not a potential security hole bug can be closed for me. Thanks!

well ... this may need documentation because its going to catch a lot of people.  I'm cc-ing our hardened doc people to figure out where to put it.  Basically we need to tell our users that if you use TPE then you must add user "portage" to group "wheel" to give it permission to write to a group-writable directory durig emerge.
Comment 9 Christian Ruppert (idl0r) archtester Gentoo Infrastructure gentoo-dev Security 2013-11-02 01:03:59 UTC
Hi,

we (Infra) experienced the same issue.
We can reproduce it on at least two machines. Both have different Kernel (3.8.2 and 3.5.4, hardened "custom") versions. Both have the same grsec sysctl settings. Both have the same FEATURES.
Another server with the same portage version and the same FEATURES, sysctl settings and Kernel (3.8.2) works fine.
So there must be another difference between the ~42 working hosts and the (until now) 2 not working hosts.
I also tested different sandbox versions.

Using -userpriv on the affected systems works, -usersandbox doens't matter.

All portage 2.2.x versions seem to be affected.

I'll *try* to debug that further tomorrow.
Comment 10 Christian Ruppert (idl0r) archtester Gentoo Infrastructure gentoo-dev Security 2013-11-02 16:41:28 UTC
Upgrading libffi (to at least 3.0.11) and rebuilding at least python helps.

FEATURES=-userpriv emerge -1u virtual/libffi
FEATURES=-userpriv emerge @preserved-rebuild
emerge foo
Comment 11 Magnus Granberg gentoo-dev 2013-11-02 16:53:20 UTC
This problem have with python and libffi one more time.
libffi try to write the temp file to execute it for it can't
use RWX mmap so it try to make a temp file and execute that.
You need to check what use flags libffi have and what version and
what the active python have for pax flags and check if you have
EMUTRAMP enable in the kernel.
The libffi version should be 3.0.13-r1 and have use pax_kernel
Python should have EMUTRAMP enable.
Comment 12 satmd 2014-02-11 21:04:36 UTC
After picking up this bug on the freenode IRC channel, I tried to
Comment 13 satmd 2014-02-11 21:09:51 UTC
Sorry,... I only wanted to add myself to CC:...

after picking up this bug been mentioned on the freenode irc channel, I tried to compile portage on my computer (~amd64, non-multilib, hardened) with TPE enabled (Enabled for everyone, exemptions only for gid 10), no selinux or other MAC. My idea was to work around this problem with a stricter umask of 0022.

I did not get any error during build, but I didn't do a test without my umask setting neither.

I use paludis for package management, thus this workaround should be re-evaluated on a regular gentoo box with portage as package management to rule out specifics of my own setup.
Comment 14 Magnus Granberg gentoo-dev 2014-09-15 18:39:14 UTC
*** Bug 459664 has been marked as a duplicate of this bug. ***
Comment 15 Zac Medico gentoo-dev 2014-09-15 18:55:38 UTC
There's a related patch attached to bug 519566 that needs testing by users with TPE.
Comment 16 Anthony Basile gentoo-dev 2015-02-15 13:33:18 UTC
This should be fixed now with portage-2.2.15.  Can you test the original issue and reopen if its still a problem.