trusted tpe & user compilation problems
Posted: Tue Oct 17, 2006 7:18 pmI'm using a hardened gentoo with tpe group inverted (trusted group). When trying to use user compilation with gentoo's package manager (user portage), it fails with the following error:
<< grsec: denied untrusted exec of /var/tmp/portage/ufed-0.40-r1/work/ufed-0.40/configure by /usr/lib/portage/bin/ebuild.sh[ebuild.sh:27130] uid/euid:250/250 gid/egid:250/250, parent /usr/lib/portage/bin/ebuild.sh[ebuild.sh:10173] uid/euid:250/250 gid/egid:250/250 >>
user portage (250 - default gid 250) is in the tpe trusted group (gid 1005).
If I try to change the tpe gid to 250 with sysctl, compilation works.
If I set portage's default gid to 1005, compilation gives the same error.
rights:
/var/tmp drwxrwxrwt root root
/var/tmp/portage drwxrwxr-x root portage
/var/tmp/portage/packageX drwxrwxr-x root portage
/var/tmp/portage/packageX/work drwxr-xr-x portage portage,
same for subdirs
What am I missing?
<< grsec: denied untrusted exec of /var/tmp/portage/ufed-0.40-r1/work/ufed-0.40/configure by /usr/lib/portage/bin/ebuild.sh[ebuild.sh:27130] uid/euid:250/250 gid/egid:250/250, parent /usr/lib/portage/bin/ebuild.sh[ebuild.sh:10173] uid/euid:250/250 gid/egid:250/250 >>
user portage (250 - default gid 250) is in the tpe trusted group (gid 1005).
If I try to change the tpe gid to 250 with sysctl, compilation works.
If I set portage's default gid to 1005, compilation gives the same error.
rights:
/var/tmp drwxrwxrwt root root
/var/tmp/portage drwxrwxr-x root portage
/var/tmp/portage/packageX drwxrwxr-x root portage
/var/tmp/portage/packageX/work drwxr-xr-x portage portage,
same for subdirs
What am I missing?