| 1 |
On 2013-12-20, Mike Gilbert <floppym@g.o> wrote: |
| 2 |
> On Fri, Dec 20, 2013 at 12:22 PM, Grant Edwards |
| 3 |
><grant.b.edwards@×××××.com> wrote: |
| 4 |
>> On 2013-12-20, Grant Edwards <grant.b.edwards@×××××.com> wrote: |
| 5 |
>>> One of my systems has suddenly started displaying a lot of error |
| 6 |
>>> messages any time any package is emerged: |
| 7 |
>>> |
| 8 |
>>> >>> Emerging (1 of 1) x11-terms/rxvt-unicode-9.18 |
| 9 |
>>> * rxvt-unicode-9.18.tar.bz2 SHA256 SHA512 WHIRLPOOL size ;-) ... [ ok ] |
| 10 |
>>> ERROR: ld.so: object 'libsandbox.so' from LD_PRELOAD cannot be preloaded: ignored. |
| 11 |
>>> ERROR: ld.so: object 'libsandbox.so' from LD_PRELOAD cannot be preloaded: ignored. |
| 12 |
>>> >>> Unpacking source... |
| 13 |
>>> >>> Unpacking rxvt-unicode-9.18.tar.bz2 to /home/portage/tmp/portage/x11-terms/rxvt-unicode-9.18/work |
| 14 |
>>> >>> Source unpacked in /home/portage/tmp/portage/x11-terms/rxvt-unicode-9.18/work |
| 15 |
>>> ERROR: ld.so: object 'libsandbox.so' from LD_PRELOAD cannot be preloaded: ignored. |
| 16 |
>>> ERROR: ld.so: object 'libsandbox.so' from LD_PRELOAD cannot be preloaded: ignored. |
| 17 |
>>> ERROR: ld.so: object 'libsandbox.so' from LD_PRELOAD cannot be preloaded: ignored. |
| 18 |
>>> ERROR: ld.so: object 'libsandbox.so' from LD_PRELOAD cannot be preloaded: ignored. |
| 19 |
>>> [...] |
| 20 |
>> |
| 21 |
>> This seems to have been caused by my setting the NET_RAW capability on |
| 22 |
>> /usr/bin/python2.7. I maintain several Python applications that have |
| 23 |
>> to use raw sockets, and I got tired of having to use "sudo" to test |
| 24 |
>> them -- I also thought it would be safer if I tested them with the |
| 25 |
>> minimum capabilities required. But, it appears that setting that |
| 26 |
>> capability on the python executable (setting it on a .py file is |
| 27 |
>> pointless) breaks the sandbox feature used by emerge. |
| 28 |
>> |
| 29 |
>> After removing the NET_RAW capability from /usr/bin/python2.7 the |
| 30 |
>> sandbox errors went away. |
| 31 |
>> |
| 32 |
>> So now it's back to running my Python apps as root when all they |
| 33 |
>> really need is raw sockets... |
| 34 |
> |
| 35 |
> An couple of workarounds for you: |
| 36 |
> |
| 37 |
> 1. Create a copy of the python2.7 binary, set the NET_RAW cap on that. |
| 38 |
|
| 39 |
That's not a bad idea. |
| 40 |
|
| 41 |
> 2. Create a small wrapper in C that calls the python2.7 binary. Set |
| 42 |
> the NET_RAW cap on the wrapper binary. |
| 43 |
|
| 44 |
AFAICT, that won't work -- but I think something similar will. The |
| 45 |
NET_RAW capability will be lost when the wrapper binary does the |
| 46 |
fork/exec. But, I could set CAP_SETPCAP for the wrapper binary which |
| 47 |
would then be able to fork/exec a child python process and set the |
| 48 |
NET_RAW capability for that process. |
| 49 |
|
| 50 |
Sure would be easier if network interfaces showed up under /dev so you |
| 51 |
could use normal group permissions to deal with things like this... |
| 52 |
|
| 53 |
-- |
| 54 |
Grant Edwards grant.b.edwards Yow! If I felt any more |
| 55 |
at SOPHISTICATED I would DIE |
| 56 |
gmail.com of EMBARRASSMENT! |
Archives