* Messages for package www-client/chromium-32.0.1700.14: * bindist disabled: Resulting binaries may not be legal to re-distribute. * ERROR: www-client/chromium-32.0.1700.14::gentoo failed (configure phase): * (no error message) * * Call stack: * ebuild.sh, line 93: Called src_configure * environment, line 4953: Called die * The specific snippet of code: * chromium/scripts/build_ffmpeg.sh linux ${target_arch} "${PWD}" config-only || die;
Portage 2.2.7 (hardened/linux/amd64, gcc-4.7.3, glibc-2.15-r3, 3.11.2-hardened x86_64) ================================================================= System uname: Linux-3.11.2-hardened-x86_64-Intel-R-_Core-TM-_i7-3770_CPU_@_3.40GHz-with-gentoo-2.2 KiB Mem: 18453848 total, 2410080 free KiB Swap: 19335164 total, 19335164 free Timestamp of tree: Mon, 18 Nov 2013 08:00:01 +0000 ld GNU ld (GNU Binutils) 2.23.1 app-shells/bash: 4.2_p45 dev-java/java-config: 2.1.12-r1 dev-lang/python: 2.7.5-r3, 3.2.5-r3 dev-util/cmake: 2.8.11.2 dev-util/pkgconfig: 0.28 sys-apps/baselayout: 2.2 sys-apps/openrc: 0.11.8 sys-apps/sandbox: 2.6-r1 sys-devel/autoconf: 2.13, 2.69 sys-devel/automake: 1.11.6, 1.12.6, 1.13.4 sys-devel/binutils: 2.23.1 sys-devel/gcc: 4.7.3-r1 sys-devel/gcc-config: 1.7.3 sys-devel/libtool: 2.4.2 sys-devel/make: 3.82-r4 sys-kernel/linux-headers: 3.9 (virtual/os-headers) sys-libs/glibc: 2.15-r3 Repositories: gentoo ACCEPT_KEYWORDS="amd64" ACCEPT_LICENSE="* -@EULA" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-O2 -march=native -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/gnupg/qualified.txt" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/dconf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo" CXXFLAGS="-O2 -march=native -pipe" DISTDIR="/usr/portage/distfiles" FCFLAGS="-O2 -pipe" FEATURES="assume-digests binpkg-logs config-protect-if-modified distlocks ebuild-locks fixlafiles merge-sync news parallel-fetch preserve-libs protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr" FFLAGS="-O2 -pipe" GENTOO_MIRRORS="http://distfiles.gentoo.org" LDFLAGS="-Wl,-O1 -Wl,--as-needed" MAKEOPTS="-j7" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="" USE="X acl amd64 avahi berkdb bzip2 cli cracklib crypt cscope cxx dbus dri gdbm gtk hardened iconv ipv6 jpeg justify lock lvm mmx modules mudflap multilib ncurses nls nptl nvidia openmp pam pax_kernel pcre qemu readline session sse sse2 ssl startup-nitification symlink tcpd thunar tls udev unicode urandom virt-network xinerama xulrunner zlib" ABI_X86="64" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump author" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="evdev keyboard mouse" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" LINGUAS="en" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php5-5" PYTHON_SINGLE_TARGET="python2_7" PYTHON_TARGETS="python2_7 python3_2" RUBY_TARGETS="ruby19 ruby18" USERLAND="GNU" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, SYNC, USE_PYTHON
From the build log: * Package: www-client/chromium-32.0.1700.14 * Repository: gentoo * Maintainer: chromium@gentoo.org * USE: amd64 cups elibc_glibc kernel_linux linguas_am linguas_ar linguas_bg linguas_bn linguas_ca linguas_cs linguas_da linguas_de linguas_el linguas_en_GB linguas_es linguas_es_LA linguas_et linguas_fa linguas_fi linguas_fil linguas_fr linguas_gu linguas_he linguas_hi linguas_hr linguas_hu linguas_id linguas_it linguas_ja linguas_kn linguas_ko linguas_lt linguas_lv linguas_ml linguas_mr linguas_ms linguas_nb linguas_nl linguas_pl linguas_pt_BR linguas_pt_PT linguas_ro linguas_ru linguas_sk linguas_sl linguas_sr linguas_sv linguas_sw linguas_ta linguas_te linguas_th linguas_tr linguas_uk linguas_vi linguas_zh_CN linguas_zh_TW pulseaudio userland_GNU * FEATURES: preserve-libs sandbox userpriv usersandbox * Determining the location of the kernel source code * Found kernel source directory: * /usr/src/linux * Found kernel object directory: * /lib/modules/3.11.2-hardened/build * Found sources for kernel version: * 3.11.2-hardened * Checking for suitable kernel configuration options... [ ok ] * bindist disabled: Resulting binaries may not be legal to re-distribute. * Applying chromium-system-jinja-r2.patch ... [ ok ] * Applying chromium-blink-crash-r0.patch ... [ ok ] * Applying chromium-build_ffmpeg-r0.patch ... [ ok ] * Configuring bundled ffmpeg... System information: HOST_OS = linux TARGET_OS = linux HOST_ARCH = x64 TARGET_ARCH = x64 JOBS = 8 LD = GNU ld (GNU Binutils) 2.23.1 Chromium configure/build: Creating build directory... /var/tmp/portage/www-client/chromium-32.0.1700.14/work/chromium-32.0.1700.14/third_party/ffmpeg/build.x64.linux/Chromium /var/tmp/portage/www-client/chromium-32.0.1700.14/work/chromium-32.0.1700.14/third_party/ffmpeg Configuring Chromium... /var/tmp/portage/www-client/chromium-32.0.1700.14/work/chromium-32.0.1700.14/third_party/ffmpeg/configure --disable-everything --disable-avdevice --disable-avfilter --disable-bzlib --disable-doc --disable-ffprobe --disable-lzo --disable-network --disable-postproc --disable-swresample --disable-swscale --disable-zlib --enable-fft --enable-rdft --enable-shared --disable-iconv --disable-dxva2 --disable-vaapi --disable-vda --disable-vdpau --optflags=-O2 --enable-decoder=theora,vorbis,vp8 --enable-decoder=pcm_u8,pcm_s16le,pcm_s24le,pcm_f32le --enable-decoder=pcm_s16be,pcm_s24be,pcm_mulaw,pcm_alaw --enable-demuxer=ogg,matroska,wav --enable-parser=vp3,vorbis,vp8 --enable-pic --disable-error-resilience Unable to create and execute files in /var/tmp/portage/www-client/chromium-32.0.1700.14/temp. Set the TMPDIR environment variable to another directory and make sure that it is not mounted noexec. Sanity test failed. If you think configure made a mistake, make sure you are using the latest version from Git. If the latest version fails, report the problem to the ffmpeg-user@ffmpeg.org mailing list or IRC #ffmpeg on irc.freenode.net. Include the log file "config.log" produced by configure as this will help solving the problem.
nshulman@nvshp:~ $ ls -ld /var/tmp/portage/www-client/chromium-32.0.1700.* drwxrwxr-x 7 portage portage 4096 Nov 18 03:14 /var/tmp/portage/www-client/chromium-32.0.1700.14 drwx------ 3 nshulman nshulman 4096 Nov 13 23:57 /var/tmp/portage/www-client/chromium-32.0.1700.6 Note the change from the previous version.
> Include the log file "config.log" produced by configure as this will help solving the problem. Can you attach config.log?
Created attachment 363532 [details] ffmpeg config.log
(In reply to Norman Shulman from comment #3) > nshulman@nvshp:~ > $ ls -ld /var/tmp/portage/www-client/chromium-32.0.1700.* > drwxrwxr-x 7 portage portage 4096 Nov 18 03:14 > /var/tmp/portage/www-client/chromium-32.0.1700.14 > drwx------ 3 nshulman nshulman 4096 Nov 13 23:57 > /var/tmp/portage/www-client/chromium-32.0.1700.6 > > Note the change from the previous version. How is that significant? You ran portage as 2 different users. It would be more interesting to see the permissions on /var/tmp/portage/www-client/chromium-32.0.1700.14/temp. This could also be a grsec issue; anything in your kernel log?
(In reply to Mike Gilbert from comment #6) > (In reply to Norman Shulman from comment #3) > > nshulman@nvshp:~ > > $ ls -ld /var/tmp/portage/www-client/chromium-32.0.1700.* > > drwxrwxr-x 7 portage portage 4096 Nov 18 03:14 > > /var/tmp/portage/www-client/chromium-32.0.1700.14 > > drwx------ 3 nshulman nshulman 4096 Nov 13 23:57 > > /var/tmp/portage/www-client/chromium-32.0.1700.6 > > > > Note the change from the previous version. > > How is that significant? You ran portage as 2 different users. The first one was run out of cron.daily, the second using sudo. > It would be more interesting to see the permissions on > /var/tmp/portage/www-client/chromium-32.0.1700.14/temp. nshulman@nvshp:~ $ ls -ld /var/tmp/portage/www-client/chromium-32.0.1700.14/temp drwxrwxr-x 4 portage portage 4096 Nov 18 03:14 /var/tmp/portage/www-client/chromium-32.0.1700.14/temp > This could also be a grsec issue; anything in your kernel log? Nov 18 03:14:50 localhost kernel: [1154881.920122] grsec: denied untrusted exec (due to file in group-writable directory) of /var/tmp/portage/www-client/chromium-32.0.1700.14/temp/ffconf.Twxny8Uu.sh by /var/tmp/portage/www-client/chromium-32.0.1700.14/temp/ffconf.Twxny8Uu.sh[configure:6142] uid/euid:250/250 gid/egid:250/250, parent /var/tmp/portage/www-client/chromium-32.0.1700.14/work/chromium-32.0.1700.14/third_party/ffmpeg/configure[configure:5782] uid/euid:250/250 gid/egid:250/250
Ah ha, so my grsec guess was correct. Assigning to hardened.
Same problem with chromium-32.0.1700.19.
ozzie chromium-32.0.1700.14 # pwd /var/tmp/portage/www-client/chromium-32.0.1700.14 ozzie chromium-32.0.1700.14 # ls -al total 28 drwxrwxr-x 7 portage portage 4096 Nov 26 20:20 ./ drwxrwxr-x 3 portage portage 4096 Nov 26 20:19 ../ drwxr-xr-x 2 portage portage 4096 Nov 26 20:20 build-info/ drwxr-xr-x 2 root portage 4096 Nov 26 20:19 distdir/ drwxrwxr-x 2 portage portage 4096 Nov 26 20:19 homedir/ prwxrwx--- 1 root portage 0 Nov 26 20:20 .ipc_in| prwxrwx--- 1 root portage 0 Nov 26 20:20 .ipc_out| -rw-r--r-- 1 root root 0 Nov 26 20:19 .logid -rw-r--r-- 1 portage portage 0 Nov 26 20:20 .prepared -rw-r--r-- 1 root root 0 Nov 26 20:19 .setuped drwxrwxr-x 4 portage portage 4096 Nov 26 20:20 temp/ -rw-r--r-- 1 portage portage 0 Nov 26 20:20 .unpacked drwx------ 3 portage portage 4096 Nov 26 20:20 work/ My work directory isn't group writable, which makes me think it's not portage default to make it group writable. Can you show what yours looks like after a failure?
(In reply to Rick Farina (Zero_Chaos) from comment #10) > My work directory isn't group writable, which makes me think it's not > portage default to make it group writable. Can you show what yours looks > like after a failure? The script is being run from ${T}, not ${WORKDIR}.
Ah, this is a dup of bug 437732. *** This bug has been marked as a duplicate of bug 437732 ***
Eh, maybe not exactly a dup. Still hardend's problem -- fix your docs so that you don't break the portage default config.
(In reply to Mike Gilbert from comment #13) > Eh, maybe not exactly a dup. Still hardend's problem -- fix your docs so > that you don't break the portage default config. Personally I'd lean toward upstream's problem. Executing things in a temp directory fails even a basic system security sanity check. I'll leave this to see if other hardened team members want to say differently but I really don't think things in a temp directory should be expected to be executable. Best part is, doesn't google make /tmp not executable for chromeos and android? I guess they must not use their own platforms...
+ 27 Nov 2013; Mike Gilbert <floppym@gentoo.org> chromium-32.0.1700.19.ebuild, + chromium-33.0.1711.3.ebuild: + Override TMPDIR to prevent grsec TPE failures in ffmpeg configure script, bug + 491582. That should work around the problem; feel free to reopen if you still have trouble.
