Devuan bug report logs - #498
libc6: Permission denied, intermittent in execve

version graph

Package: libc6; Maintainer for libc6 is (unknown); Source for libc6 is src:glibc.

Reported by: Alessandro Vesely <vesely@tana.it>

Date: Mon, 27 Jul 2020 08:48:01 UTC

Severity: normal

Tags: debian

Merged with 497

Found in version 2.28-10

Forwarded to https://bugs.debian.org/966343

Full log


Message #36 received at 498@bugs.devuan.org (full text, mbox, reply):

Received: (at 498) by bugs.devuan.org; 27 Jul 2020 17:10:12 +0000
Return-Path: <vesely@tana.it>
Delivered-To: devuanbugs@dyne.org
Received: from tupac3.dyne.org [195.169.149.119]
	by doc.devuan.org with IMAP (fetchmail-6.4.0.beta4)
	for <debbugs@localhost> (single-drop); Mon, 27 Jul 2020 17:10:12 +0000 (UTC)
Received: from wmail.tana.it (wmail.tana.it [62.94.243.226])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by vm6.ganeti.dyne.org (Postfix) with UTF8SMTPS id 2766CF604BE
	for <498@bugs.devuan.org>; Mon, 27 Jul 2020 19:01:14 +0200 (CEST)
Authentication-Results: vm6.ganeti.dyne.org;
	dkim=pass (1152-bit key; secure) header.d=tana.it header.i=@tana.it header.b="BEFcr2Ej";
	dkim-atps=neutral
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tana.it; s=delta;
	t=1595869273; bh=OeAyQIUy2iB26YtEzRGjpIi4J5tLdgziq2OmoQA7bS4=;
	l=2388; h=To:References:From:Cc:Date:In-Reply-To;
	b=BEFcr2EjbllFMnfh6JognRNJsF/RuURA5kRrzpHviNc09tS6qUnSbjAgOFphAKtLt
	 t9xTGQ1rHQ9B4qErxKop9qYwKpz9KYqe1g/AMLq0IxIMcxACcxyZeXTgpdWt/W48O1
	 3L93L766yrFumDdK0c/VeQFRyB354nkZS/IJ4/LRqE9PJSIvXzMvrJKvnMjqm
Authentication-Results: tana.it; auth=pass (details omitted)
Received: from [172.25.197.111] (pcale.tana [172.25.197.111])
  (AUTH: CRAM-MD5 uXDGrn@SYT0/k, TLS: TLS1.3,128bits,ECDHE_RSA_AES_128_GCM_SHA256)
  by wmail.tana.it with ESMTPSA
  id 00000000005DC013.000000005F1F0859.00003549; Mon, 27 Jul 2020 19:01:13 +0200
To: 966343@bugs.debian.org
References: <159583832778.5523.4267786497736057480.reportbug@pcale.tana>
 <4c3f732a-b026-a7a6-bea5-c49fff74267a@tana.it>
 <20200727091401.GQ3011@hindley.org.uk>
 <4c3f732a-b026-a7a6-bea5-c49fff74267a@tana.it>
 <1a948266-b3c2-e3c6-6f91-fda019203850@tana.it>
 <20200727101344.wovj4a2l4g4xb2hk@function>
 <20200727101344.wovj4a2l4g4xb2hk@function>
Subject: Re: Bug#966343: bug#498: libc6: Permission denied, intermittent in
 execve
From: Alessandro Vesely <vesely@tana.it>
Cc: 498@bugs.devuan.org
Message-ID: <15a0722b-ed58-a804-7d66-12ab5693329e@tana.it>
Date: Mon, 27 Jul 2020 19:01:13 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
 Thunderbird/68.10.0
MIME-Version: 1.0
In-Reply-To: <20200727101344.wovj4a2l4g4xb2hk@function>
Content-Type: text/plain; charset=us-ascii
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-Spam-Status: No, score=-2.5 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
	DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_MED,RCVD_IN_MSPIKE_H3,
	RCVD_IN_MSPIKE_WL,SPF_HELO_PASS,SPF_PASS autolearn=disabled
	version=3.4.2
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on tupac3.dyne.org
On Mon, 27 Jul 2020 12:13:44 +0200 Samuel Thibault <sthibault@debian.org> wrote:
> Alessandro Vesely, le lun. 27 juil. 2020 11:47:34 +0200, a ecrit:
> > So this turns out to be a documentation bug.  The execve man page should mention that EACCESS can result as an (unforeseen) apparmor impediment.
> 
> Well, basically all system calls would then need this...


Yeah, likely.  How many man pages have snippets like "[...] denied for one of the directories in the path [...]"?

Yet, considering the following examples, they seem to have been written manually rather than resorting to some sort of script:


       EACCES The requested access to the file is not allowed, or search permission is denied for one of the directories in the  path
              prefix  of  pathname, or the file did not exist yet and write access to the parent directory is not allowed.  (See also
              path_resolution(7).)

       EACCES Search permission is denied on a component of the path prefix of filename or the name of a  script  interpreter.   (See
              also path_resolution(7).)

       EACCES Write access to the directory containing newpath is denied, or search permission is denied for one of  the  directories
              in the path prefix of oldpath or newpath.  (See also path_resolution(7).)

       EACCES Search permission is denied for a component of the path prefix, or the named file is not writable by  the  user.
              (See also path_resolution(7).)

       EACCES Search permission is denied on a component of the path prefix.  (See also path_resolution(7).)


Philip Couling commented that the man page /could/ mention security extensions since they are prevelent. See:
https://unix.stackexchange.com/questions/600174/identical-execve-causes-permission-denied-for-one-program-but-not-another/600529#comment1121270_600529

For execve, for example, one could add that permissions are not derived from file flags only.  For example:

OLD:

       EACCES Execute permission is denied for the file or a script or ELF interpreter.

NEW:

       EACCES Execute permission for the file or a script or ELF interpreter is denied either by flags or by security modules.


Would that be correct?  Do all "DENIED" operations result in EACCES?  And what do other security modules do?  Hmm...  Starting to document that mess from the point of view of programs getting such failure codes would allow better logging and better troubleshooting.


Best
Ale


Send a report that this bug log contains spam.


Devuan BTS -- Powered by Debian bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.

Devuan Bugs Owner <owner@bugs.devuan.org>.
Last modified: Mon Nov 25 21:19:20 2024;