# Grsec TPE blocking ffmpeg rebuild (need workaround advise!)

## Valdrax

I've run into a problem rebuilding all versions of media-video/ffmpeg on my system that seems to be caused by grsec & the trusted path execution setting.  After some digging, I found that the build was failing in the ./configure step.  The ./configure script for ffmpeg creates a number of temporary files in TMPDIR and then tries to execute one as a sanity check.  This fails with the following error in dmesg:

 *Quote:*   

> [241955.536102] grsec: denied untrusted exec (due to file in group-writable directory) of /var/tmp/portage/media-video/ffmpeg-1.0.7/tmp/ffconf.OMSOXU5s.sh by /var/tmp/portage/media-video/ffmpeg-1.0.7/temp/ffconf.OMSOXU5s.sh[configure:24397] uid/euid 250/250 gid/egid 250/250, parent /var/tmp/portage/media-video/ffmpeg-1.0.7/work/

 

The problem is the permissions on the following directory:

 *Quote:*   

> drwxrwxr-x  3 portage portage  4096 Nov  2 21:31 /var/tmp/portage/media-video/ffmpeg-1.0.7/temp

 

I'm not sure why the temp directory is group writable, but it's that way in every other ebuild I checked, and it's causing this particular build to fail for trying to execute out of it.  I am not a master of portage, so I don't know if there's anything I can do to patch the build process to mark the directory as not group-writable.  I'm sure there has to be a way, but since portage wipes and recreates the directories at every new emerge, I don't know how to get past this.

Can anyone think of a good workaround for this?

----------

## Hu

I suggest fixing ffmpeg not to execute content in temporary directories.  That is generally bad practice anyway, due to the extra care required to ensure that the file is not manipulated by external parties.  Many systems mount the global /tmp as noexec specifically to prevent this practice, so the ffmpeg script would fail there too if Portage had not redirected $TMPDIR into the local area.

----------

## elmar283

I have the same problem. I reported here: https://forums.gentoo.org/viewtopic-p-7430700.html?sid=d6c9374b463b013471bc941d7ffdcaa3

I have no answer how to solve it, yet.

----------

## Valdrax

 *Hu wrote:*   

> I suggest fixing ffmpeg not to execute content in temporary directories.  That is generally bad practice anyway, due to the extra care required to ensure that the file is not manipulated by external parties.  Many systems mount the global /tmp as noexec specifically to prevent this practice, so the ffmpeg script would fail there too if Portage had not redirected $TMPDIR into the local area.

 

Fixing a package upstream seems a bit hefty for a workaround.  Do you have a suggestion that's a bit more of a local fix?

 *elmar283 wrote:*   

> I have the same problem. I reported here: https://forums.gentoo.org/viewtopic-p-7430700.html?sid=d6c9374b463b013471bc941d7ffdcaa3
> 
> I have no answer how to solve it, yet.

 

If you report this as a bug, please let me know.  I'd love to, but I have issues with the way the bug tracking system handles emails that are off-topic here.

----------

## elmar283

What helped for me is rebooting on a usb-stick (or an dvd/cd) with the livecd of gentoo. 

I chrooted into my system and then emerged ffmpeg. It is not a real fix, but it solves your problem until you have to re-emerge or update 'ffmpeg' again.

----------

## Valdrax

I eventually used a brute-force workaround.  Not quite the long-term patch I was hoping for, but all you really need to do is open another terminal, login as root, and run the following before starting the emerge:

FOO=1

while [ $FOO -eq 1 ]; do chmod 755 /var/tmp/portage/media-video/ffmpeg-*/temp/; sleep 0.1; done

Once the configure step is done, and the code starts getting compiled, it's safe to kill the loop in that window.

----------

## ManBiteDog

 *Valdrax wrote:*   

> I eventually used a brute-force workaround.  Not quite the long-term patch I was hoping for, but all you really need to do is open another terminal, login as root, and run the following before starting the emerge:
> 
> FOO=1
> 
> while [ $FOO -eq 1 ]; do chmod 755 /var/tmp/portage/media-video/ffmpeg-*/temp/; sleep 0.1; done
> ...

 

I know this post is rather old, but THANK YOU! Same problem as OP happened here and your post managed to save the day!

I'm saving that little script for later   :Very Happy: 

----------

