Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Grsec TPE blocking ffmpeg rebuild (need workaround advise!)
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Valdrax
n00b
n00b


Joined: 08 Sep 2008
Posts: 6

PostPosted: Sun Nov 03, 2013 2:54 am    Post subject: Grsec TPE blocking ffmpeg rebuild (need workaround advise!) Reply with quote

I've run into a problem rebuilding all versions of media-video/ffmpeg on my system that seems to be caused by grsec & the trusted path execution setting. After some digging, I found that the build was failing in the ./configure step. The ./configure script for ffmpeg creates a number of temporary files in TMPDIR and then tries to execute one as a sanity check. This fails with the following error in dmesg:

Quote:
[241955.536102] grsec: denied untrusted exec (due to file in group-writable directory) of /var/tmp/portage/media-video/ffmpeg-1.0.7/tmp/ffconf.OMSOXU5s.sh by /var/tmp/portage/media-video/ffmpeg-1.0.7/temp/ffconf.OMSOXU5s.sh[configure:24397] uid/euid 250/250 gid/egid 250/250, parent /var/tmp/portage/media-video/ffmpeg-1.0.7/work/


The problem is the permissions on the following directory:
Quote:
drwxrwxr-x 3 portage portage 4096 Nov 2 21:31 /var/tmp/portage/media-video/ffmpeg-1.0.7/temp


I'm not sure why the temp directory is group writable, but it's that way in every other ebuild I checked, and it's causing this particular build to fail for trying to execute out of it. I am not a master of portage, so I don't know if there's anything I can do to patch the build process to mark the directory as not group-writable. I'm sure there has to be a way, but since portage wipes and recreates the directories at every new emerge, I don't know how to get past this.

Can anyone think of a good workaround for this?
Back to top
View user's profile Send private message
Hu
Watchman
Watchman


Joined: 06 Mar 2007
Posts: 8979

PostPosted: Sun Nov 03, 2013 5:05 pm    Post subject: Reply with quote

I suggest fixing ffmpeg not to execute content in temporary directories. That is generally bad practice anyway, due to the extra care required to ensure that the file is not manipulated by external parties. Many systems mount the global /tmp as noexec specifically to prevent this practice, so the ffmpeg script would fail there too if Portage had not redirected $TMPDIR into the local area.
Back to top
View user's profile Send private message
elmar283
Apprentice
Apprentice


Joined: 06 Dec 2004
Posts: 194
Location: Netherlands

PostPosted: Sun Nov 03, 2013 5:28 pm    Post subject: Reply with quote

I have the same problem. I reported here: http://forums.gentoo.org/viewtopic-p-7430700.html?sid=d6c9374b463b013471bc941d7ffdcaa3

I have no answer how to solve it, yet.
Back to top
View user's profile Send private message
Valdrax
n00b
n00b


Joined: 08 Sep 2008
Posts: 6

PostPosted: Sun Nov 03, 2013 7:08 pm    Post subject: Reply with quote

Hu wrote:
I suggest fixing ffmpeg not to execute content in temporary directories. That is generally bad practice anyway, due to the extra care required to ensure that the file is not manipulated by external parties. Many systems mount the global /tmp as noexec specifically to prevent this practice, so the ffmpeg script would fail there too if Portage had not redirected $TMPDIR into the local area.

Fixing a package upstream seems a bit hefty for a workaround. Do you have a suggestion that's a bit more of a local fix?
elmar283 wrote:
I have the same problem. I reported here: http://forums.gentoo.org/viewtopic-p-7430700.html?sid=d6c9374b463b013471bc941d7ffdcaa3

I have no answer how to solve it, yet.

If you report this as a bug, please let me know. I'd love to, but I have issues with the way the bug tracking system handles emails that are off-topic here.
Back to top
View user's profile Send private message
elmar283
Apprentice
Apprentice


Joined: 06 Dec 2004
Posts: 194
Location: Netherlands

PostPosted: Sun Nov 03, 2013 7:12 pm    Post subject: Reply with quote

What helped for me is rebooting on a usb-stick (or an dvd/cd) with the livecd of gentoo.
I chrooted into my system and then emerged ffmpeg. It is not a real fix, but it solves your problem until you have to re-emerge or update 'ffmpeg' again.
Back to top
View user's profile Send private message
Valdrax
n00b
n00b


Joined: 08 Sep 2008
Posts: 6

PostPosted: Sun Dec 08, 2013 7:01 pm    Post subject: Reply with quote

I eventually used a brute-force workaround. Not quite the long-term patch I was hoping for, but all you really need to do is open another terminal, login as root, and run the following before starting the emerge:

FOO=1
while [ $FOO -eq 1 ]; do chmod 755 /var/tmp/portage/media-video/ffmpeg-*/temp/; sleep 0.1; done

Once the configure step is done, and the code starts getting compiled, it's safe to kill the loop in that window.
Back to top
View user's profile Send private message
ManBiteDog
n00b
n00b


Joined: 17 May 2014
Posts: 1

PostPosted: Fri May 23, 2014 6:25 am    Post subject: Reply with quote

Valdrax wrote:
I eventually used a brute-force workaround. Not quite the long-term patch I was hoping for, but all you really need to do is open another terminal, login as root, and run the following before starting the emerge:

FOO=1
while [ $FOO -eq 1 ]; do chmod 755 /var/tmp/portage/media-video/ffmpeg-*/temp/; sleep 0.1; done

Once the configure step is done, and the code starts getting compiled, it's safe to kill the loop in that window.


I know this post is rather old, but THANK YOU! Same problem as OP happened here and your post managed to save the day!

I'm saving that little script for later :D
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum