1 |
On Fri, Dec 20, 2013 at 12:22 PM, Grant Edwards |
2 |
<grant.b.edwards@×××××.com> wrote: |
3 |
> On 2013-12-20, Grant Edwards <grant.b.edwards@×××××.com> wrote: |
4 |
>> One of my systems has suddenly started displaying a lot of error |
5 |
>> messages any time any package is emerged: |
6 |
>> |
7 |
>> >>> Emerging (1 of 1) x11-terms/rxvt-unicode-9.18 |
8 |
>> * rxvt-unicode-9.18.tar.bz2 SHA256 SHA512 WHIRLPOOL size ;-) ... [ ok ] |
9 |
>> ERROR: ld.so: object 'libsandbox.so' from LD_PRELOAD cannot be preloaded: ignored. |
10 |
>> ERROR: ld.so: object 'libsandbox.so' from LD_PRELOAD cannot be preloaded: ignored. |
11 |
>> >>> Unpacking source... |
12 |
>> >>> Unpacking rxvt-unicode-9.18.tar.bz2 to /home/portage/tmp/portage/x11-terms/rxvt-unicode-9.18/work |
13 |
>> >>> Source unpacked in /home/portage/tmp/portage/x11-terms/rxvt-unicode-9.18/work |
14 |
>> ERROR: ld.so: object 'libsandbox.so' from LD_PRELOAD cannot be preloaded: ignored. |
15 |
>> ERROR: ld.so: object 'libsandbox.so' from LD_PRELOAD cannot be preloaded: ignored. |
16 |
>> ERROR: ld.so: object 'libsandbox.so' from LD_PRELOAD cannot be preloaded: ignored. |
17 |
>> ERROR: ld.so: object 'libsandbox.so' from LD_PRELOAD cannot be preloaded: ignored. |
18 |
>> [...] |
19 |
> |
20 |
> This seems to have been caused by my setting the NET_RAW capability on |
21 |
> /usr/bin/python2.7. I maintain several Python applications that have |
22 |
> to use raw sockets, and I got tired of having to use "sudo" to test |
23 |
> them -- I also thought it would be safer if I tested them with the |
24 |
> minimum capabilities required. But, it appears that setting that |
25 |
> capability on the python executable (setting it on a .py file is |
26 |
> pointless) breaks the sandbox feature used by emerge. |
27 |
> |
28 |
> After removing the NET_RAW capability from /usr/bin/python2.7 the |
29 |
> sandbox errors went away. |
30 |
> |
31 |
> So now it's back to running my Python apps as root when all they |
32 |
> really need is raw sockets... |
33 |
> |
34 |
|
35 |
An couple of workarounds for you: |
36 |
|
37 |
1. Create a copy of the python2.7 binary, set the NET_RAW cap on that. |
38 |
2. Create a small wrapper in C that calls the python2.7 binary. Set |
39 |
the NET_RAW cap on the wrapper binary. |