1 |
On 2013-12-20, Mike Gilbert <floppym@g.o> wrote: |
2 |
> On Fri, Dec 20, 2013 at 12:22 PM, Grant Edwards |
3 |
><grant.b.edwards@×××××.com> wrote: |
4 |
>> On 2013-12-20, Grant Edwards <grant.b.edwards@×××××.com> wrote: |
5 |
>>> One of my systems has suddenly started displaying a lot of error |
6 |
>>> messages any time any package is emerged: |
7 |
>>> |
8 |
>>> >>> Emerging (1 of 1) x11-terms/rxvt-unicode-9.18 |
9 |
>>> * rxvt-unicode-9.18.tar.bz2 SHA256 SHA512 WHIRLPOOL size ;-) ... [ ok ] |
10 |
>>> ERROR: ld.so: object 'libsandbox.so' from LD_PRELOAD cannot be preloaded: ignored. |
11 |
>>> ERROR: ld.so: object 'libsandbox.so' from LD_PRELOAD cannot be preloaded: ignored. |
12 |
>>> >>> Unpacking source... |
13 |
>>> >>> Unpacking rxvt-unicode-9.18.tar.bz2 to /home/portage/tmp/portage/x11-terms/rxvt-unicode-9.18/work |
14 |
>>> >>> Source unpacked in /home/portage/tmp/portage/x11-terms/rxvt-unicode-9.18/work |
15 |
>>> ERROR: ld.so: object 'libsandbox.so' from LD_PRELOAD cannot be preloaded: ignored. |
16 |
>>> ERROR: ld.so: object 'libsandbox.so' from LD_PRELOAD cannot be preloaded: ignored. |
17 |
>>> ERROR: ld.so: object 'libsandbox.so' from LD_PRELOAD cannot be preloaded: ignored. |
18 |
>>> ERROR: ld.so: object 'libsandbox.so' from LD_PRELOAD cannot be preloaded: ignored. |
19 |
>>> [...] |
20 |
>> |
21 |
>> This seems to have been caused by my setting the NET_RAW capability on |
22 |
>> /usr/bin/python2.7. I maintain several Python applications that have |
23 |
>> to use raw sockets, and I got tired of having to use "sudo" to test |
24 |
>> them -- I also thought it would be safer if I tested them with the |
25 |
>> minimum capabilities required. But, it appears that setting that |
26 |
>> capability on the python executable (setting it on a .py file is |
27 |
>> pointless) breaks the sandbox feature used by emerge. |
28 |
>> |
29 |
>> After removing the NET_RAW capability from /usr/bin/python2.7 the |
30 |
>> sandbox errors went away. |
31 |
>> |
32 |
>> So now it's back to running my Python apps as root when all they |
33 |
>> really need is raw sockets... |
34 |
> |
35 |
> An couple of workarounds for you: |
36 |
> |
37 |
> 1. Create a copy of the python2.7 binary, set the NET_RAW cap on that. |
38 |
|
39 |
That's not a bad idea. |
40 |
|
41 |
> 2. Create a small wrapper in C that calls the python2.7 binary. Set |
42 |
> the NET_RAW cap on the wrapper binary. |
43 |
|
44 |
AFAICT, that won't work -- but I think something similar will. The |
45 |
NET_RAW capability will be lost when the wrapper binary does the |
46 |
fork/exec. But, I could set CAP_SETPCAP for the wrapper binary which |
47 |
would then be able to fork/exec a child python process and set the |
48 |
NET_RAW capability for that process. |
49 |
|
50 |
Sure would be easier if network interfaces showed up under /dev so you |
51 |
could use normal group permissions to deal with things like this... |
52 |
|
53 |
-- |
54 |
Grant Edwards grant.b.edwards Yow! If I felt any more |
55 |
at SOPHISTICATED I would DIE |
56 |
gmail.com of EMBARRASSMENT! |