# Portage fails with security errors [SOLVED]

## at

Whenever I try to do an ebuild on a hardened profile now, it always fails with security related errors. For example:

```
# emerge -v1 sys-libs/zlib

These are the packages that would be merged, in order:

Calculating dependencies... done!

[ebuild     U ] sys-libs/zlib-1.2.5-r2 [1.2.3-r1] 0 kB

Total: 1 package (1 upgrade), Size of downloads: 0 kB

>>> Verifying ebuild manifests

>>> Emerging (1 of 1) sys-libs/zlib-1.2.5-r2

 * zlib-1.2.5.tar.bz2 RMD160 SHA1 SHA256 size ;-) ...                                                                                                [ ok ]

 * Package:    sys-libs/zlib-1.2.5-r2

 * Repository: gentoo

 * Maintainer: base-system@gentoo.org

 * USE:        amd64 elibc_glibc kernel_linux userland_GNU

 * FEATURES:   sandbox userpriv usersandbox

>>> Unpacking source...

>>> Unpacking zlib-1.2.5.tar.bz2 to /var/tmp/portage/sys-libs/zlib-1.2.5-r2/work

 * Applying zlib-1.2.5-ldflags.patch ...                                                                                                             [ ok ]

 * Applying zlib-1.2.5-lfs-decls.patch ...                                                                                                           [ ok ]

 * Applying zlib-1.2.5-fbsd_chosts.patch ...                                                                                                         [ ok ]

>>> Source unpacked in /var/tmp/portage/sys-libs/zlib-1.2.5-r2/work

>>> Compiling source in /var/tmp/portage/sys-libs/zlib-1.2.5-r2/work/zlib-1.2.5 ...

/var/tmp/portage/sys-libs/zlib-1.2.5-r2/temp/environment: ./configure: /bin/sh: bad interpreter: Permission denied

 * ERROR: sys-libs/zlib-1.2.5-r2 failed (compile phase):

 *   (no error message)

 * 

 * Call stack:

 *     ebuild.sh, line  56:  Called src_compile

 *   environment, line 2166:  Called die

 * The specific snippet of code:

 *               ./configure --shared --prefix=/usr --libdir=/usr/$(get_libdir) || die;

 * 

 * If you need support, post the output of 'emerge --info =sys-libs/zlib-1.2.5-r2',

 * the complete build log and the output of 'emerge -pqv =sys-libs/zlib-1.2.5-r2'.

 * The complete build log is located at '/var/tmp/portage/sys-libs/zlib-1.2.5-r2/temp/build.log.gz'.

 * The ebuild environment file is located at '/var/tmp/portage/sys-libs/zlib-1.2.5-r2/temp/environment'.

 * S: '/var/tmp/portage/sys-libs/zlib-1.2.5-r2/work/zlib-1.2.5'

>>> Failed to emerge sys-libs/zlib-1.2.5-r2, Log file:

>>>  '/var/tmp/portage/sys-libs/zlib-1.2.5-r2/temp/build.log.gz'
```

```
# ls -l /bin/sh

lrwxrwxrwx 1 root root 4 Jan  7 20:20 /bin/sh -> bash

# ls -l /bin/bash

-rwxr-xr-x 1 root root 1051384 Jan  7 20:20 /bin/bash
```

It makes no difference what package is being built, the error is the same. I could find no additional information in log files.

Thank you for your help!Last edited by at on Sun Apr 03, 2011 2:57 am; edited 1 time in total

----------

## phajdan.jr

Are you using hardened-sources? Have you enabled TPE (Trusted Path Execution) in the kernel? Please post your emerge --info.

----------

## Hu

Also, please show the output of nl /proc/mounts.  The error you show could be caused by trying to build in a filesystem that was mounted as noexec.

----------

## cach0rr0

could it also be caused by the RBAC system? 

might be with disabling that via gradm (if the other two suggestions don't show anything - they know more than I do)

----------

## at

```
# nl /proc/mounts

     1  rootfs / rootfs rw 0 0

     2  /dev/root / jfs rw,relatime 0 0

     3  proc /proc proc rw,relatime 0 0

     4  rc-svcdir /lib64/rc/init.d tmpfs rw,nosuid,nodev,noexec,relatime,size=1024k,mode=755 0 0

     5  sysfs /sys sysfs rw,nosuid,nodev,noexec,relatime 0 0

     6  udev /dev tmpfs rw,nosuid,relatime,size=10240k,mode=755 0 0

     7  devpts /dev/pts devpts rw,nosuid,noexec,relatime,gid=5,mode=620 0 0

     8  shm /dev/shm tmpfs rw,nosuid,nodev,noexec,relatime 0 0

   10  nfsd /proc/fs/nfsd nfsd rw,nosuid,nodev,noexec,relatime 0 0

```

I have truncated 'emerge --info' output for the sake of space, but I am using hardened sources. 

```
# emerge --info

Portage 2.1.9.42 (hardened/linux/amd64/no-multilib, gcc-4.4.4, glibc-2.11.2-r3, 2.6.36-hardened-r9 x86_64)

=================================================================

System uname: Linux-2.6.36-hardened-r9-x86_64-AMD_Athlon-tm-_64_X2_Dual_Core_Processor_3800+-with-gentoo-2.0.1

...
```

TPE is enabled:

```

-*- Enforce RLIMIT_NPROC on execs

-*- Dmesg(8) restriction

[*] Deter ptrace-based process snooping

[*] Trusted Path Execution (TPE)

[ ]    Partially restrict all non-root users

[*]    Invert GID option

(53)     GID for trusted users

```

Both root and portage are members of the group for trusted users.

gradmin is enabled and is in full learning mode.

Thank you for your help!

----------

## phajdan.jr

Try adding portage to the TPE trusted group or disabling the following FEATURES: userpriv, usersandbox.

----------

## at

Disabling RBAC system 

```
# gradm -S

The RBAC system is currently disabled.
```

 made no difference.

----------

## phajdan.jr

 *at wrote:*   

> Disabling RBAC system made no difference.

 

It's not the RBAC, I'm pretty sure it's TPE.

----------

## at

Yes, removing 'userpriv' solved the issues.

But why?

My understanding was that 'userpriv' drops from 'root' to 'portage' when doing compilations - which should be a good thing.

Both 'root' and 'portage' are already members of the TPE trusted group. Does that fact get ignored?

Does it mean that with TPE enabled everything must be executed as root???

----------

## at

Apparently, this is a result of a bug.

----------

