Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 647678 - sys-devel/patch-2.7.6-r1 sandbox violation mkdir /usr/tmp
Summary: sys-devel/patch-2.7.6-r1 sandbox violation mkdir /usr/tmp
Status: RESOLVED WORKSFORME
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo's Team for Core System packages
URL:
Whiteboard:
Keywords:
: 678492 678494 678566 678574 678582 (view as bug list)
Depends on:
Blocks:
 
Reported: 2018-02-15 00:55 UTC by Francesco Riosa
Modified: 2019-03-03 00:41 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
emerge --info sys-devel/patch-2.7.6-r1 (emerge--info-sys-devel-patch-2.7.6-r1.log,5.54 KB, text/x-log)
2018-02-15 00:55 UTC, Francesco Riosa
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Francesco Riosa 2018-02-15 00:55:02 UTC
Created attachment 519584 [details]
emerge --info sys-devel/patch-2.7.6-r1

Emerging sys-devel/patch incur in a sandbox violation after configure phase is completed, notice that the system is using experimental 17.1 profiles
Comment 1 Francesco Riosa 2018-02-15 00:56:45 UTC
MAKEOPTS=-j1 emerge -1 -j1 patch
Calculating dependencies... done!

>>> Verifying ebuild manifests

>>> Emerging (1 of 1) sys-devel/patch-2.7.6-r1::gentoo
 * patch-2.7.6.tar.xz BLAKE2B SHA512 size ;-) ...                                               [ ok ]
>>> Unpacking source...
>>> Unpacking patch-2.7.6.tar.xz to /var/tmp/portage/sys-devel/patch-2.7.6-r1/work
>>> Source unpacked in /var/tmp/portage/sys-devel/patch-2.7.6-r1/work
>>> Preparing source in /var/tmp/portage/sys-devel/patch-2.7.6-r1/work/patch-2.7.6 ...
 * Applying patch-2.7.6-fix-test-suite.patch ...                                                [ ok ]
>>> Source prepared.
>>> Configuring source in /var/tmp/portage/sys-devel/patch-2.7.6-r1/work/patch-2.7.6 ...
 * econf: updating patch-2.7.6/build-aux/config.sub with /usr/share/gnuconfig/config.sub
 * econf: updating patch-2.7.6/build-aux/config.guess with /usr/share/gnuconfig/config.guess
./configure --prefix=/usr --build=x86_64-pc-linux-gnu --host=x86_64-pc-linux-gnu --mandir=/usr/share/ma
n --infodir=/usr/share/info --datadir=/usr/share --sysconfdir=/etc --localstatedir=/var/lib --disable-d
ependency-tracking --disable-silent-rules --docdir=/usr/share/doc/patch-2.7.6-r1 --htmldir=/usr/share/d
oc/patch-2.7.6-r1/html --libdir=/usr/lib64 --enable-xattr --program-prefix=
checking for a BSD-compatible install... /usr/lib/portage/python3.6/ebuild-helpers/xattr/install
[...]
checking for long file names...  * ACCESS DENIED:  MKDIR:        /usr/tmp/cf703                        yes
[...]
config.status: creating src/Makefile                                                          [88/1380]config.status: creating tests/Makefile
config.status: creating config.h                                                                       config.status: executing depfiles commands
>>> Source configured.
 * --------------------------- ACCESS VIOLATION SUMMARY ---------------------------
 * LOG FILE: "/var/log/sandbox/sandbox-574.log"
 *                                                                                                     VERSION 1.0
FORMAT: F - Function called                                                                            FORMAT: S - Access Status
FORMAT: P - Path as passed to function
FORMAT: A - Absolute Path (not canonical)
FORMAT: R - Canonical Path
FORMAT: C - Command Line

F: MKDIR
S: deny
P: /usr/tmp/cf703                                                                                      A: /usr/tmp/cf703                                                                                      R: /usr/tmp/cf703
C: mkdir /usr/tmp/cf703
Comment 2 Jeroen Roovers (RETIRED) gentoo-dev 2019-02-22 12:46:58 UTC
*** Bug 678494 has been marked as a duplicate of this bug. ***
Comment 3 Jeroen Roovers (RETIRED) gentoo-dev 2019-02-22 14:16:10 UTC
*** Bug 678492 has been marked as a duplicate of this bug. ***
Comment 4 Jeroen Roovers (RETIRED) gentoo-dev 2019-02-22 14:17:40 UTC
*** Bug 678566 has been marked as a duplicate of this bug. ***
Comment 5 Jeroen Roovers (RETIRED) gentoo-dev 2019-02-22 14:18:10 UTC
*** Bug 678492 has been marked as a duplicate of this bug. ***
Comment 6 Jeroen Roovers (RETIRED) gentoo-dev 2019-02-22 14:18:14 UTC
*** Bug 678574 has been marked as a duplicate of this bug. ***
Comment 7 Jeroen Roovers (RETIRED) gentoo-dev 2019-02-22 14:18:19 UTC
*** Bug 678582 has been marked as a duplicate of this bug. ***
Comment 8 Ben Kohler gentoo-dev 2019-02-22 14:23:37 UTC
You have a lot of outdated system packages including sandbox itself.  Did you try upgrading sandbox?
Comment 9 Mike Gilbert gentoo-dev 2019-02-22 14:59:00 UTC
The configure script attempts to create a directory "/usr/tmp/cf$$" only if /usr/tmp already exists and is writable.

/usr/tmp does not exist on a normal system.

You should either remove /usr/tmp, or add it to SANDBOX_WRITE in /etc/sandbox.conf.
Comment 10 Jeroen Roovers (RETIRED) gentoo-dev 2019-02-22 16:52:26 UTC
This resolution does not make sense. If /usr/tmp exists, that is a local error and regarded as invalid, but then you open a bug report asking for /usr/tmp to be exempted from sandbox violation? The new bug report validates this one.
Comment 11 Mike Gilbert gentoo-dev 2019-02-22 17:05:55 UTC
I'm not sure what the proper resolution for this bug would be; there's no bug to be fixed in sys-devel/patch.

The new bug I filed is more an enhancement request to handle a mis-configuration that a user might unwittingly create.
Comment 12 Mike Gilbert gentoo-dev 2019-02-22 17:30:54 UTC
Ok, apparently we already whitelist /usr/tmp/cf in sys-apps/sandbox.

Per comment 8 please upgrade sandbox. Also make sure that /etc/sandbox.d/00default has that path in SANDBOX_WRITE.
Comment 13 3uklz9+cwyw433xfnykw 2019-03-01 09:42:10 UTC
Whitelisting /usr/tmp/cf is not enough, because the temporary directory the package tries to create is /usr/tmp/cf1234, not /usr/tmp/cf/1234. Which of these two should the package use?

sys-devel/patch-2.7.5 had no sandbox problem, it appeared in newer versions.

To fix I tried to add /usr/tmp/cf* and /usr/tmp/cf.* to SANDBOX_WRITE in /etc/sandbox.d/00default, but it didn't work. I guess sandbox does not support patterns or regular expressions.

I added /usr/tmp to SANDBOX_WRITE in /etc/sandbox.d/00default, and it did work. This can be considered a work-around.

Another work-around is:
FEATURES=-usersandbox emerge -1 =sys-devel/patch-2.7.6-r2
Comment 14 3uklz9+cwyw433xfnykw 2019-03-01 10:04:11 UTC
I noticed Mike's comment that /usr/tmp should normally be absent. I had it on my system:
lrwxrwxrwx 1 root root 8 Sep 14  2012 /usr/tmp -> /var/tmp

I removed it:
# rm /usr/tmp

Now the package emerges. I don't know why I had it. I hope the removal is safe and my system won't misbehave without /usr/tmp?
Comment 15 Mike Gilbert gentoo-dev 2019-03-02 04:07:51 UTC
Here's a simple test if you still have a /usr/tmp directory:

> sandbox test -w /usr/tmp/. ; echo $?

This should output 1 with a default sandbox config. If this outputs 0, then there may be a bug in the sandbox code.
Comment 16 Ulenrich 2019-03-03 00:41:04 UTC
(In reply to Mike Gilbert from comment #15)
> Here's a simple test if you still have a /usr/tmp directory:
> 
> > sandbox test -w /usr/tmp/. ; echo $?
> 
> This should output 1 with a default sandbox config. If this outputs 0, then
> there may be a bug in the sandbox code.

sys-apps/sandbox-2.15 with all /etc config files of the package untouched:
---
# sandbox test -w /usr/tmp/. ; echo $?
0
---