View previous topic :: View next topic |
Author |
Message |
Valdrax n00b
Joined: 08 Sep 2008 Posts: 6
|
Posted: Sun Nov 03, 2013 2:54 am Post subject: Grsec TPE blocking ffmpeg rebuild (need workaround advise!) |
|
|
I've run into a problem rebuilding all versions of media-video/ffmpeg on my system that seems to be caused by grsec & the trusted path execution setting. After some digging, I found that the build was failing in the ./configure step. The ./configure script for ffmpeg creates a number of temporary files in TMPDIR and then tries to execute one as a sanity check. This fails with the following error in dmesg:
Quote: | [241955.536102] grsec: denied untrusted exec (due to file in group-writable directory) of /var/tmp/portage/media-video/ffmpeg-1.0.7/tmp/ffconf.OMSOXU5s.sh by /var/tmp/portage/media-video/ffmpeg-1.0.7/temp/ffconf.OMSOXU5s.sh[configure:24397] uid/euid 250/250 gid/egid 250/250, parent /var/tmp/portage/media-video/ffmpeg-1.0.7/work/ |
The problem is the permissions on the following directory:
Quote: | drwxrwxr-x 3 portage portage 4096 Nov 2 21:31 /var/tmp/portage/media-video/ffmpeg-1.0.7/temp |
I'm not sure why the temp directory is group writable, but it's that way in every other ebuild I checked, and it's causing this particular build to fail for trying to execute out of it. I am not a master of portage, so I don't know if there's anything I can do to patch the build process to mark the directory as not group-writable. I'm sure there has to be a way, but since portage wipes and recreates the directories at every new emerge, I don't know how to get past this.
Can anyone think of a good workaround for this? |
|
Back to top |
|
|
Hu Moderator
Joined: 06 Mar 2007 Posts: 21631
|
Posted: Sun Nov 03, 2013 5:05 pm Post subject: |
|
|
I suggest fixing ffmpeg not to execute content in temporary directories. That is generally bad practice anyway, due to the extra care required to ensure that the file is not manipulated by external parties. Many systems mount the global /tmp as noexec specifically to prevent this practice, so the ffmpeg script would fail there too if Portage had not redirected $TMPDIR into the local area. |
|
Back to top |
|
|
elmar283 Guru
Joined: 06 Dec 2004 Posts: 316 Location: Haarlem, Netherlands
|
|
Back to top |
|
|
Valdrax n00b
Joined: 08 Sep 2008 Posts: 6
|
Posted: Sun Nov 03, 2013 7:08 pm Post subject: |
|
|
Hu wrote: | I suggest fixing ffmpeg not to execute content in temporary directories. That is generally bad practice anyway, due to the extra care required to ensure that the file is not manipulated by external parties. Many systems mount the global /tmp as noexec specifically to prevent this practice, so the ffmpeg script would fail there too if Portage had not redirected $TMPDIR into the local area. |
Fixing a package upstream seems a bit hefty for a workaround. Do you have a suggestion that's a bit more of a local fix?
If you report this as a bug, please let me know. I'd love to, but I have issues with the way the bug tracking system handles emails that are off-topic here. |
|
Back to top |
|
|
elmar283 Guru
Joined: 06 Dec 2004 Posts: 316 Location: Haarlem, Netherlands
|
Posted: Sun Nov 03, 2013 7:12 pm Post subject: |
|
|
What helped for me is rebooting on a usb-stick (or an dvd/cd) with the livecd of gentoo.
I chrooted into my system and then emerged ffmpeg. It is not a real fix, but it solves your problem until you have to re-emerge or update 'ffmpeg' again. |
|
Back to top |
|
|
Valdrax n00b
Joined: 08 Sep 2008 Posts: 6
|
Posted: Sun Dec 08, 2013 7:01 pm Post subject: |
|
|
I eventually used a brute-force workaround. Not quite the long-term patch I was hoping for, but all you really need to do is open another terminal, login as root, and run the following before starting the emerge:
FOO=1
while [ $FOO -eq 1 ]; do chmod 755 /var/tmp/portage/media-video/ffmpeg-*/temp/; sleep 0.1; done
Once the configure step is done, and the code starts getting compiled, it's safe to kill the loop in that window. |
|
Back to top |
|
|
ManBiteDog n00b
Joined: 17 May 2014 Posts: 3
|
Posted: Fri May 23, 2014 6:25 am Post subject: |
|
|
Valdrax wrote: | I eventually used a brute-force workaround. Not quite the long-term patch I was hoping for, but all you really need to do is open another terminal, login as root, and run the following before starting the emerge:
FOO=1
while [ $FOO -eq 1 ]; do chmod 755 /var/tmp/portage/media-video/ffmpeg-*/temp/; sleep 0.1; done
Once the configure step is done, and the code starts getting compiled, it's safe to kill the loop in that window. |
I know this post is rather old, but THANK YOU! Same problem as OP happened here and your post managed to save the day!
I'm saving that little script for later |
|
Back to top |
|
|
|