When the db backend for nss data is used via nsswitch, eg: protocols: db files ldap services: db files ldap rpc: db files ldap ethers: db files ldap nss-db causes access violations in the sandbox. I think that sandbox should have these databases added to it's primary addpredict list. >>> Install php-4.3.11 into /dev/shm/portage/php-4.3.11/image/ category dev-php * Running make INSTALL_ROOT=/dev/shm/portage/php-4.3.11/image/ install Installing PHP CLI binary: /dev/shm/portage/php-4.3.11/image//usr/bin/ Installing PHP CLI man page: /dev/shm/portage/php-4.3.11/image//usr/share/man/man1/ Installing shared extensions: /dev/shm/portage/php-4.3.11/image//usr/lib/extensions/no-debug-non-zts-20020429/ Installing PEAR environment: /dev/shm/portage/php-4.3.11/image//usr/lib/php/ ACCESS DENIED open_wr: /var/db/protocols.db ACCESS DENIED open_wr: /var/db/protocols.db ACCESS DENIED open_wr: /var/db/protocols.db ACCESS DENIED open_wr: /var/db/protocols.db ACCESS DENIED open_wr: /var/db/protocols.db ACCESS DENIED open_wr: /var/db/protocols.db ACCESS DENIED open_wr: /var/db/services.db ACCESS DENIED open_wr: /var/db/services.db ACCESS DENIED open_wr: /var/db/services.db [PEAR] Archive_Tar - installed: 1.1 [PEAR] Console_Getopt - installed: 1.2 [PEAR] PEAR - installed: 1.3.5 Wrote PEAR system config file at: /dev/shm/portage/php-4.3.11/image///etc/pear.conf You may want to add: /usr/lib/php to your php.ini include_path No log handling enabled - turning on stderr logging read_config_store open failure on //var/lib/net-snmp/snmpapp.conf read_config_store open failure on //var/lib/net-snmp/snmpapp.conf read_config_store open failure on //var/lib/net-snmp/snmpapp.conf ACCESS DENIED open_wr: /var/db/protocols.db ACCESS DENIED open_wr: /var/db/protocols.db ACCESS DENIED open_wr: /var/db/protocols.db ACCESS DENIED open_wr: /var/db/protocols.db ACCESS DENIED open_wr: /var/db/protocols.db ACCESS DENIED open_wr: /var/db/protocols.db ACCESS DENIED open_wr: /var/db/services.db ACCESS DENIED open_wr: /var/db/services.db ACCESS DENIED open_wr: /var/db/services.db [PEAR] HTML_Template_IT- installed: 1.1 [PEAR] Net_UserAgent_Detect- installed: 2.0.1 [PEAR] XML_RPC - installed: 1.2.2 No log handling enabled - turning on stderr logging read_config_store open failure on //var/lib/net-snmp/snmpapp.conf read_config_store open failure on //var/lib/net-snmp/snmpapp.conf read_config_store open failure on //var/lib/net-snmp/snmpapp.conf Installing build environment: /dev/shm/portage/php-4.3.11/image//usr/lib/php/build/ Installing header files: /dev/shm/portage/php-4.3.11/image//usr/include/php/ Installing helper programs: /dev/shm/portage/php-4.3.11/image//usr/bin/ program: phpize program: php-config program: phpextdist * Setting extension_dir in php.ini * Installing JAR for PHP * Installing Java test page * Setting correct include_path patching file php.ini-dist chmod: cannot access `/dev/shm/portage/php-4.3.11/image//usr/lib/php/run-tests.php': No such file or directory * Fixing PEAR cache location * Installing manpage man: >>> Completed installing php-4.3.11 into /dev/shm/portage/php-4.3.11/image/ --------------------------- ACCESS VIOLATION SUMMARY --------------------------- LOG FILE = "/tmp/sandbox-dev-php_-_php-4.3.11-7477.log" open_wr: /var/db/protocols.db open_wr: /var/db/protocols.db open_wr: /var/db/protocols.db open_wr: /var/db/protocols.db open_wr: /var/db/protocols.db open_wr: /var/db/protocols.db open_wr: /var/db/services.db open_wr: /var/db/services.db open_wr: /var/db/services.db open_wr: /var/db/protocols.db open_wr: /var/db/protocols.db open_wr: /var/db/protocols.db open_wr: /var/db/protocols.db open_wr: /var/db/protocols.db open_wr: /var/db/protocols.db open_wr: /var/db/services.db open_wr: /var/db/services.db open_wr: /var/db/services.db -------------------------------------------------------------------------------- Portage 2.0.51.21 (default-linux/x86/2005.0, gcc-3.4.3, glibc-2.3.5-r0, 2.6.10-gentoo-r4 i686) ================================================================= System uname: 2.6.10-gentoo-r4 i686 AMD Athlon(tm) XP 3000+ Gentoo Base System version 1.6.11 distcc 2.18.3 i686-pc-linux-gnu (protocols 1 and 2) (default port 3632) [disabled] ccache version 2.3 [disabled] dev-lang/python: 2.3.5 sys-apps/sandbox: 1.2.2 sys-devel/autoconf: 2.13, 2.59-r6 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.5 sys-devel/binutils: 2.15.92.0.2-r8 sys-devel/libtool: 1.5.16 virtual/os-headers: 2.6.11 ACCEPT_KEYWORDS="x86 ~x86" AUTOCLEAN="yes" CBUILD="i686-pc-linux-gnu" CFLAGS="-O3 -march=athlon-xp -ggdb3 -pipe" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3.3/env /usr/kde/3.3/share/config /usr/kde/3.3/shutdown /usr/kde/3/share/config /usr/lib/X11/xkb /usr/lib/mozilla/defaults/pref /usr/share/config /usr/share/texmf/dvipdfm/config/ /usr/share/texmf/dvips/config/ /usr/share/texmf/tex/generic/config/ /usr/share/texmf/tex/platex/config/ /usr/share/texmf/xdvi/ /var /var/qmail/control" CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d" CXXFLAGS="-O3 -march=athlon-xp -ggdb3 -pipe" DISTDIR="/usr/portage-distfiles" FEATURES="autoconfig buildpkg collision-protect cvs digest distlocks nostrip sandbox sfperms userpriv" GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/Linux/distributions/gentoo" LINGUAS="en_US" MAKEOPTS="-j1" PKGDIR="/usr/portage-packages" PORTAGE_TMPDIR="/dev/shm" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://yamato/gentoo-portage" USE="x86 3dnow X Xaw3d aalib acl acpi alsa amd apache2 apm arts avi berkdb bitmap-fonts caps cdr cgi clearpasswd crypt cscope cups curl divx4linux dri dts dvd dvdr eds emboss encode erandom escreen esd ethereal expat f77 faac faad fam flac flash foomaticdb fortran gcj gd gdbm gif glx gnome gpm gstreamer ieee1394 imagemagick imap imlib innodb ipalias ipv6 jabber jack java javascript jikes jpeg junit kde ldap libwww lm_sensors mad maildir mcal md5sum mikmod mmx motif mozcalendar mozdevelop mozsvg mozxmlterm mp3 mpeg multitarget nas ncurses nls nptl oav objc offensive ogg oggvorbis opengl pam pcap pda pdflib perl pic plotutils png pnp ppds python quicktime rdesktop readline rpc samba scanner sdl slang slp snmp socks5 speex spell sqlite sse ssl tcltk tcpd tetex theora tidy tiff truetype truetype-fonts type1 type1-fonts ungif usb userlocales v4l v4l2 vorbis wifi wmf wxwindows xinerama xml xml2 xmms xosd xrandr xscreensaver xv xvid zlib linguas_en_US" Unset: ASFLAGS, CTARGET, LANG, LC_ALL, LDFLAGS
Can't nss-db just add a /etc/env.d/ file that have those two added to SANDBOX_PREDICT? ---- echo SANDBOX_PREDICT="/var/db/protocols.db:/var/db/services.db" > $T/90nss-db newenvd $T/90nss-db ----
azarah: unfortunetly that breaks when multiple files in env.d start using it (unless it gets special handling like LDPATH etc).
easy enough to treat SANDBOX_PREDICT as a special var ... but if we put it into env.d, that pollutes a user's normal env ...
Ok, I was tracing this down in nss-db. Basically, the db_upgrade method (from sys-libs/db) is called, and it opens the database as read-write. possible solutions: 1. block the db_upgrade in nss-db - upgrades might get nasty then 2. change the db_upgrade method in db to check while read-only. 3. add all db files to the predict list in sandbox (easiest to do): /var/db/aliases.db:/var/db/netgroup.db:/var/db/netmasks.db:/var/db/ethers.db:/va r/db/rpc.db:/var/db/protocols.db:/var/db/services.db:/var/db/networks.db:/var/db /hosts.db:/var/db/group.db:/var/db/passwd.db
ok, #1 and #2 don't fly. please add all db files to the predict list in our upstream sandbox: /var/db/aliases.db:/var/db/netgroup.db:/var/db/netmasks.db:/var/db/ethers.db:/va r/db/rpc.db:/var/db/protocols.db:/var/db/services.db:/var/db/networks.db:/var/db /hosts.db:/var/db/group.db:/var/db/passwd.db
Created attachment 62516 [details, diff] Patch for sandbox.c to add items to PREDICT list.
Released 1.2.10 which should fix this, thanks.