From unknown Thu Mar 28 20:19:43 2024 X-Loop: owner@bugs.devuan.org Subject: bug#498: libc6: Permission denied, intermittent in execve Reply-To: Alessandro Vesely , 498@bugs.devuan.org Resent-From: Alessandro Vesely Resent-To: devuan-bugs@lists.dyne.org Resent-CC: devuan-dev@lists.dyne.org X-Loop: owner@bugs.devuan.org Resent-Date: Mon, 27 Jul 2020 08:48:01 +0000 Resent-Message-ID: Resent-Sender: owner@bugs.devuan.org X-Devuan-PR-Message: report 498 X-Devuan-PR-Package: libc6 X-Devuan-PR-Keywords: Received: via spool by submit@bugs.devuan.org id=B.159583921317098 (code B); Mon, 27 Jul 2020 08:48:01 +0000 Received: (at submit) by bugs.devuan.org; 27 Jul 2020 08:40:13 +0000 Delivered-To: devuanbugs@dyne.org Received: from tupac3.dyne.org [195.169.149.119] by doc.devuan.org with IMAP (fetchmail-6.4.0.beta4) for (single-drop); Mon, 27 Jul 2020 08:40:13 +0000 (UTC) Received: from wmail.tana.it (wmail.tana.it [62.94.243.226]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by vm6.ganeti.dyne.org (Postfix) with UTF8SMTPS id C4944F60ACF for ; Mon, 27 Jul 2020 10:32:16 +0200 (CEST) Authentication-Results: vm6.ganeti.dyne.org; dkim=pass (1152-bit key; secure) header.d=tana.it header.i=@tana.it header.b="CN9r887s"; dkim-atps=neutral DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tana.it; s=delta; t=1595838735; bh=zC8GgG2OCI5+W/W4YcXYGCAFbHEHhoZfEyTck4VsPF0=; l=1573; h=References:To:Cc:From:Date:In-Reply-To; b=CN9r887spjYTEkNUAYUn8uQLJPSjHXm9mciyfVYhAr8mCqqWy3ZEcfOT8ApNweI1X K/fhSKMLsrhgjC76PUed+tYDbFUlFvZDo5kMQoJgAU7MWIlw8SAMpbg4XQjF+E2Va0 5dK3Tbaw48bGCqlj0Sx5L2hZnjd7b1+MIhD2pKNDvQgeBM8mtkVB7GL79R4Z1 Authentication-Results: tana.it; auth=pass (details omitted) Received: from [172.25.197.111] (pcale.tana [172.25.197.111]) (AUTH: CRAM-MD5 uXDGrn@SYT0/k, TLS: TLS1.3,128bits,ECDHE_RSA_AES_128_GCM_SHA256) by wmail.tana.it with ESMTPSA id 00000000005DC0B4.000000005F1E910F.00007409; Mon, 27 Jul 2020 10:32:15 +0200 To: Debian Bug Tracking System Cc: Devuan Bug Tracking System From: Alessandro Vesely X-Forwarded-Message-Id: <159583832778.5523.4267786497736057480.reportbug@pcale.tana> Message-ID: <4c3f732a-b026-a7a6-bea5-c49fff74267a@tana.it> Date: Mon, 27 Jul 2020 10:32:15 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0 MIME-Version: 1.0 In-Reply-To: <159583832778.5523.4267786497736057480.reportbug@pcale.tana> Content-Type: text/plain; charset=us-ascii Content-Language: en-US Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-2.5 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_MED,RCVD_IN_MSPIKE_H3, RCVD_IN_MSPIKE_WL,SPF_HELO_PASS,SPF_PASS autolearn=disabled version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on tupac3.dyne.org Package: libc6 Version: GNU C Library (Debian GLIBC 2.28-10) stable release version 2.28. Severity: normal -------- Forwarded Message -------- Subject: libc6: Permission denied, intermittent in execve Date: Mon, 27 Jul 2020 10:25:27 +0200 From: Alessandro Vesely To: Devuan Bug Tracking System Dear Maintainer, in certain situations, execve fails setting errno to EACCESS. The same program, launched by the same user in different ways, succeeds or fails according to preceding actions. None of the failure conditions for EACCESS is met. The case at hand happens with an old version of Thunderbird and a LibreOffice attachment. After saving the attachment, Thunderbird execs gio-launch-desktop. The latter tries to exec libreoffice6.4 and fails. I strace'd the full arguments used in the failed execve(), and copied them to a simple C program which runs just that execve() call. When called from the command line, the program succeeds. Then I replaced the gio-launch-desktop executable with my straw men. When called from Thunderbird, the program fails. See also: https://unix.stackexchange.com/questions/600174/permission-denied-intermittent-in-execve -- System Information: Distributor ID: Debian Description: Devuan GNU/Linux 3 (beowulf) Release: 3 Codename: beowulf Architecture: x86_64 Kernel: Linux 4.19.0-9-amd64 (SMP w/8 CPU cores) Locale: LANG=en_IE.UTF-8, LC_CTYPE=en_IE.UTF-8 (charmap=UTF-8), LANGUAGE=en_IE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash From unknown Thu Mar 28 20:19:43 2024 X-Loop: owner@bugs.devuan.org Subject: bug#498: libc6: Permission denied, intermittent in execve Reply-To: Mark Hindley , 498@bugs.devuan.org Resent-From: Mark Hindley Resent-To: devuan-bugs@lists.dyne.org Resent-CC: devuan-dev@lists.dyne.org X-Loop: owner@bugs.devuan.org Resent-Date: Mon, 27 Jul 2020 09:33:02 +0000 Resent-Message-ID: Resent-Sender: owner@bugs.devuan.org X-Devuan-PR-Message: followup 498 X-Devuan-PR-Package: libc6 X-Devuan-PR-Keywords: References: <159583832778.5523.4267786497736057480.reportbug@pcale.tana> <4c3f732a-b026-a7a6-bea5-c49fff74267a@tana.it> <4c3f732a-b026-a7a6-bea5-c49fff74267a@tana.it> Received: via spool by 498-submit@bugs.devuan.org id=B498.159584161221072 (code B ref 498); Mon, 27 Jul 2020 09:33:02 +0000 Received: (at 498) by bugs.devuan.org; 27 Jul 2020 09:20:12 +0000 Delivered-To: devuanbugs@dyne.org Received: from tupac3.dyne.org [195.169.149.119] by doc.devuan.org with IMAP (fetchmail-6.4.0.beta4) for (single-drop); Mon, 27 Jul 2020 09:20:12 +0000 (UTC) Received: from mx.hindley.org.uk (mohindley.plus.com [81.174.245.179]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by vm6.ganeti.dyne.org (Postfix) with ESMTPS id CD493F60B8A for <498@bugs.devuan.org>; Mon, 27 Jul 2020 11:14:03 +0200 (CEST) Received: from apollo.hindleynet ([192.168.1.3] helo=hindley.org.uk) by mx.hindley.org.uk with smtp (Exim 4.84_2) (envelope-from ) id 1jzzCr-0002w4-HG; Mon, 27 Jul 2020 10:14:01 +0100 Received: (nullmailer pid 31961 invoked by uid 1000); Mon, 27 Jul 2020 09:14:01 -0000 Date: Mon, 27 Jul 2020 10:14:01 +0100 From: Mark Hindley To: Alessandro Vesely , 498@bugs.devuan.org Message-ID: <20200727091401.GQ3011@hindley.org.uk> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4c3f732a-b026-a7a6-bea5-c49fff74267a@tana.it> User-Agent: Mutt/1.10.1 (2018-07-13) X-Spam-Status: No, score=-0.0 required=5.0 tests=SPF_PASS autolearn=disabled version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on tupac3.dyne.org Control: forcemerge 498 497 Control: tags -1 debian Control: forwarded -1 https://bugs.debian.org/966343 Alessandro On Mon, Jul 27, 2020 at 10:32:15AM +0200, Alessandro Vesely wrote: > Package: libc6 > Version: GNU C Library (Debian GLIBC 2.28-10) stable release version 2.28. > Severity: normal > > > -------- Forwarded Message -------- > Subject: libc6: Permission denied, intermittent in execve > Date: Mon, 27 Jul 2020 10:25:27 +0200 > From: Alessandro Vesely > To: Devuan Bug Tracking System > > > Dear Maintainer, > > in certain situations, execve fails setting errno to EACCESS. The same > program, launched by the same user in different ways, succeeds or fails > according to preceding actions. Thanks for this. As you have realised, libc6 is a Debian package that Devuan uses directly without recompilation so this issue is correctly dealt with in Debian's BTS. However, one thought that occurs to me is whether apparmor is causing this? Does disabling it[1] restore predictable behaviour? Thanks. Mark [1] https://wiki.debian.org/AppArmor/HowToUse#Diagnose_if_a_bug_might_have_been_caused_by_AppArmor From unknown Thu Mar 28 20:19:43 2024 Received: (at control) by bugs.devuan.org; 27 Jul 2020 09:20:12 +0000 Return-Path: Delivered-To: devuanbugs@dyne.org Received: from tupac3.dyne.org [195.169.149.119] by doc.devuan.org with IMAP (fetchmail-6.4.0.beta4) for (single-drop); Mon, 27 Jul 2020 09:20:12 +0000 (UTC) Received: from mx.hindley.org.uk (mohindley.plus.com [81.174.245.179]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by vm6.ganeti.dyne.org (Postfix) with ESMTPS id 58691F60B8A for ; Mon, 27 Jul 2020 11:17:49 +0200 (CEST) Received: from apollo.hindleynet ([192.168.1.3] helo=hindley.org.uk) by mx.hindley.org.uk with smtp (Exim 4.84_2) (envelope-from ) id 1jzzGW-0002x3-8r for control@bugs.devuan.org; Mon, 27 Jul 2020 10:17:48 +0100 Received: (nullmailer pid 32094 invoked by uid 1000); Mon, 27 Jul 2020 09:17:48 -0000 Date: Mon, 27 Jul 2020 10:17:48 +0100 From: Mark Hindley To: control@bugs.devuan.org Subject: Re: bug#498: libc6: Permission denied, intermittent in execve Message-ID: <20200727091748.GR3011@hindley.org.uk> References: <159583832778.5523.4267786497736057480.reportbug@pcale.tana> <4c3f732a-b026-a7a6-bea5-c49fff74267a@tana.it> <20200727091401.GQ3011@hindley.org.uk> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20200727091401.GQ3011@hindley.org.uk> X-Debbugs-No-Ack: No Thanks User-Agent: Mutt/1.10.1 (2018-07-13) X-Spam-Status: No, score=-0.0 required=5.0 tests=SPF_PASS autolearn=disabled version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on tupac3.dyne.org found 498 2.28-10 From unknown Thu Mar 28 20:19:43 2024 X-Loop: owner@bugs.devuan.org Subject: bug#498: libc6: Permission denied, intermittent in execve Reply-To: Alessandro Vesely , 498@bugs.devuan.org Resent-From: Alessandro Vesely Resent-To: devuan-bugs@lists.dyne.org Resent-CC: devuan-dev@lists.dyne.org X-Loop: owner@bugs.devuan.org Resent-Date: Mon, 27 Jul 2020 10:03:01 +0000 Resent-Message-ID: Resent-Sender: owner@bugs.devuan.org X-Devuan-PR-Message: followup 498 X-Devuan-PR-Package: libc6 X-Devuan-PR-Keywords: debian References: <159583832778.5523.4267786497736057480.reportbug@pcale.tana> <4c3f732a-b026-a7a6-bea5-c49fff74267a@tana.it> <20200727091401.GQ3011@hindley.org.uk> <4c3f732a-b026-a7a6-bea5-c49fff74267a@tana.it> Received: via spool by 498-submit@bugs.devuan.org id=B498.159584342323099 (code B ref 498); Mon, 27 Jul 2020 10:03:01 +0000 Received: (at 498) by bugs.devuan.org; 27 Jul 2020 09:50:23 +0000 Delivered-To: devuanbugs@dyne.org Received: from tupac3.dyne.org [195.169.149.119] by doc.devuan.org with IMAP (fetchmail-6.4.0.beta4) for (single-drop); Mon, 27 Jul 2020 09:50:23 +0000 (UTC) Received: from wmail.tana.it (wmail.tana.it [62.94.243.226]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by vm6.ganeti.dyne.org (Postfix) with UTF8SMTPS id D6C5AF60C32 for <498@bugs.devuan.org>; Mon, 27 Jul 2020 11:47:35 +0200 (CEST) Authentication-Results: vm6.ganeti.dyne.org; dkim=pass (1152-bit key; secure) header.d=tana.it header.i=@tana.it header.b="A6kMLst2"; dkim-atps=neutral DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tana.it; s=delta; t=1595843255; bh=M1w3YBJGQluH11gn/N+C1Zi8PYChlxHGILJQ3x5KySM=; l=1391; h=To:References:From:Date:In-Reply-To; b=A6kMLst2zCCIa7U8NxwBLcfKFUIML9u5lPUS9uIjHwhXb7SjFwz3w8kWNrHyYeLOQ B19W5bX9UFXIycht3ajcO8Qt7OctMUVgWViAvTvdlpSi0t3k+tN24xDZAZHPRdB5n1 OAWAsQa9OEg6IWTkLnPqGsyHCRgupXkxTH5R1xkVfyOTh+OlNQkG1CAsFwJ2E Authentication-Results: tana.it; auth=pass (details omitted) Received: from [172.25.197.111] (pcale.tana [172.25.197.111]) (AUTH: CRAM-MD5 uXDGrn@SYT0/k, TLS: TLS1.3,128bits,ECDHE_RSA_AES_128_GCM_SHA256) by wmail.tana.it with ESMTPSA id 00000000005DC056.000000005F1EA2B7.00007DA7; Mon, 27 Jul 2020 11:47:35 +0200 To: Mark Hindley , 498@bugs.devuan.org, 966343@bugs.debian.org From: Alessandro Vesely Message-ID: <1a948266-b3c2-e3c6-6f91-fda019203850@tana.it> Date: Mon, 27 Jul 2020 11:47:34 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0 MIME-Version: 1.0 In-Reply-To: <20200727091401.GQ3011@hindley.org.uk> Content-Type: text/plain; charset=us-ascii Content-Language: en-US Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-2.5 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_MED,RCVD_IN_MSPIKE_H3, RCVD_IN_MSPIKE_WL,SPF_HELO_PASS,SPF_PASS autolearn=disabled version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on tupac3.dyne.org Hi Mark, On Mon 27/Jul/2020 11:14:01 +0200 Mark Hindley wrote: > On Mon, Jul 27, 2020 at 10:32:15AM +0200, Alessandro Vesely wrote: >> Package: libc6 >> Version: GNU C Library (Debian GLIBC 2.28-10) stable release version 2.28. >> Severity: normal >> >> in certain situations, execve fails setting errno to EACCESS. The same >> program, launched by the same user in different ways, succeeds or fails >> according to preceding actions. > > Thanks for this. As you have realised, libc6 is a Debian package that Devuan > uses directly without recompilation so this issue is correctly dealt with in > Debian's BTS. > > However, one thought that occurs to me is whether apparmor is causing this? Does > disabling it[1] restore predictable behaviour? Bingo! Jul 27 09:47:25 pcale kernel: [ 1569.887279] audit: type=1400 audit(1595836045.642:33): apparmor="DENIED" operation="exec" profile="thunderbird" name="/opt/lib reoffice6.4/program/soffice" pid=5402 comm="gio-launch-desk" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 I dunno how come apparmor got installed. Probably it happened when I upgraded to Beowulf. After aa-teardown and purging apparmor, execve works as expected. So this turns out to be a documentation bug. The execve man page should mention that EACCESS can result as an (unforeseen) apparmor impediment. Thank you so much Ale From unknown Thu Mar 28 20:19:43 2024 X-Loop: owner@bugs.devuan.org Subject: bug#498: libc6: Permission denied, intermittent in execve Reply-To: Mark Hindley , 498@bugs.devuan.org Resent-From: Mark Hindley Resent-To: devuan-bugs@lists.dyne.org Resent-CC: devuan-dev@lists.dyne.org X-Loop: owner@bugs.devuan.org Resent-Date: Mon, 27 Jul 2020 10:03:10 +0000 Resent-Message-ID: Resent-Sender: owner@bugs.devuan.org X-Devuan-PR-Message: followup 498 X-Devuan-PR-Package: libc6 X-Devuan-PR-Keywords: debian References: <159583832778.5523.4267786497736057480.reportbug@pcale.tana> <4c3f732a-b026-a7a6-bea5-c49fff74267a@tana.it> <20200727091401.GQ3011@hindley.org.uk> <1a948266-b3c2-e3c6-6f91-fda019203850@tana.it> <4c3f732a-b026-a7a6-bea5-c49fff74267a@tana.it> Received: via spool by 498-submit@bugs.devuan.org id=B498.159584400123192 (code B ref 498); Mon, 27 Jul 2020 10:03:10 +0000 Received: (at 498) by bugs.devuan.org; 27 Jul 2020 10:00:01 +0000 Delivered-To: devuanbugs@dyne.org Received: from tupac3.dyne.org [195.169.149.119] by doc.devuan.org with IMAP (fetchmail-6.4.0.beta4) for (single-drop); Mon, 27 Jul 2020 10:00:01 +0000 (UTC) Received: from mx.hindley.org.uk (mohindley.plus.com [81.174.245.179]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by vm6.ganeti.dyne.org (Postfix) with ESMTPS id 201D5F60C32 for <498@bugs.devuan.org>; Mon, 27 Jul 2020 11:53:18 +0200 (CEST) Received: from apollo.hindleynet ([192.168.1.3] helo=hindley.org.uk) by mx.hindley.org.uk with smtp (Exim 4.84_2) (envelope-from ) id 1jzzoq-0003A8-Vo; Mon, 27 Jul 2020 10:53:17 +0100 Received: (nullmailer pid 571 invoked by uid 1000); Mon, 27 Jul 2020 09:53:16 -0000 Date: Mon, 27 Jul 2020 10:53:16 +0100 From: Mark Hindley To: Alessandro Vesely Cc: 498@bugs.devuan.org, 966343@bugs.debian.org Message-ID: <20200727095316.GT3011@hindley.org.uk> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1a948266-b3c2-e3c6-6f91-fda019203850@tana.it> User-Agent: Mutt/1.10.1 (2018-07-13) X-Spam-Status: No, score=-0.0 required=5.0 tests=SPF_PASS autolearn=disabled version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on tupac3.dyne.org On Mon, Jul 27, 2020 at 11:47:34AM +0200, Alessandro Vesely wrote: > > However, one thought that occurs to me is whether apparmor is causing this? Does > > disabling it[1] restore predictable behaviour? > > Bingo! > > Jul 27 09:47:25 pcale kernel: [ 1569.887279] audit: type=1400 audit(1595836045.642:33): apparmor="DENIED" operation="exec" profile="thunderbird" name="/opt/lib > reoffice6.4/program/soffice" pid=5402 comm="gio-launch-desk" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 > > I dunno how come apparmor got installed. Probably it happened when I upgraded > to Beowulf. Yes, it is now the default in Debian buster and Devuan beowulf has inherited that. Mark From unknown Thu Mar 28 20:19:43 2024 X-Loop: owner@bugs.devuan.org Subject: bug#498: Bug#966343: bug#498: libc6: Permission denied, intermittent in execve Reply-To: Samuel Thibault , 498@bugs.devuan.org Resent-From: Samuel Thibault Resent-To: devuan-bugs@lists.dyne.org Resent-CC: devuan-dev@lists.dyne.org X-Loop: owner@bugs.devuan.org Resent-Date: Mon, 27 Jul 2020 10:33:02 +0000 Resent-Message-ID: Resent-Sender: owner@bugs.devuan.org X-Devuan-PR-Message: followup 498 X-Devuan-PR-Package: libc6 X-Devuan-PR-Keywords: debian References: <159583832778.5523.4267786497736057480.reportbug@pcale.tana> <4c3f732a-b026-a7a6-bea5-c49fff74267a@tana.it> <20200727091401.GQ3011@hindley.org.uk> <4c3f732a-b026-a7a6-bea5-c49fff74267a@tana.it> <1a948266-b3c2-e3c6-6f91-fda019203850@tana.it> <4c3f732a-b026-a7a6-bea5-c49fff74267a@tana.it> Received: via spool by 498-submit@bugs.devuan.org id=B498.159584521325614 (code B ref 498); Mon, 27 Jul 2020 10:33:02 +0000 Received: (at 498) by bugs.devuan.org; 27 Jul 2020 10:20:13 +0000 Delivered-To: devuanbugs@dyne.org Received: from tupac3.dyne.org [195.169.149.119] by doc.devuan.org with IMAP (fetchmail-6.4.0.beta4) for (single-drop); Mon, 27 Jul 2020 10:20:12 +0000 (UTC) Received: from hera.aquilenet.fr (hera.aquilenet.fr [185.233.100.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by vm6.ganeti.dyne.org (Postfix) with ESMTPS id 4717CF60B00 for <498@bugs.devuan.org>; Mon, 27 Jul 2020 12:13:48 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by hera.aquilenet.fr (Postfix) with ESMTP id 93BDA96FE; Mon, 27 Jul 2020 12:13:46 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at aquilenet.fr Received: from hera.aquilenet.fr ([127.0.0.1]) by localhost (hera.aquilenet.fr [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AhiH7Du3Bw43; Mon, 27 Jul 2020 12:13:46 +0200 (CEST) Received: from function (lfbn-bor-1-797-11.w86-234.abo.wanadoo.fr [86.234.239.11]) by hera.aquilenet.fr (Postfix) with ESMTPSA id ED57F96DF; Mon, 27 Jul 2020 12:13:45 +0200 (CEST) Received: from samy by function with local (Exim 4.94) (envelope-from ) id 1k008e-003kur-QM; Mon, 27 Jul 2020 12:13:44 +0200 Date: Mon, 27 Jul 2020 12:13:44 +0200 From: Samuel Thibault To: Alessandro Vesely , 966343@bugs.debian.org Cc: Mark Hindley , 498@bugs.devuan.org Message-ID: <20200727101344.wovj4a2l4g4xb2hk@function> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1a948266-b3c2-e3c6-6f91-fda019203850@tana.it> Organization: I am not organized User-Agent: NeoMutt/20170609 (1.8.3) X-Spam-Status: No, score=-0.0 required=5.0 tests=SPF_HELO_PASS autolearn=disabled version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on tupac3.dyne.org Alessandro Vesely, le lun. 27 juil. 2020 11:47:34 +0200, a ecrit: > So this turns out to be a documentation bug. The execve man page should mention that EACCESS can result as an (unforeseen) apparmor impediment. Well, basically all system calls would then need this... Samuel From unknown Thu Mar 28 20:19:43 2024 X-Loop: owner@bugs.devuan.org Subject: bug#498: Bug#966343: bug#498: libc6: Permission denied, intermittent in execve Reply-To: Alessandro Vesely , 498@bugs.devuan.org Resent-From: Alessandro Vesely Resent-To: devuan-bugs@lists.dyne.org Resent-CC: devuan-dev@lists.dyne.org X-Loop: owner@bugs.devuan.org Resent-Date: Mon, 27 Jul 2020 17:18:01 +0000 Resent-Message-ID: Resent-Sender: owner@bugs.devuan.org X-Devuan-PR-Message: followup 498 X-Devuan-PR-Package: libc6 X-Devuan-PR-Keywords: debian References: <159583832778.5523.4267786497736057480.reportbug@pcale.tana> <4c3f732a-b026-a7a6-bea5-c49fff74267a@tana.it> <20200727091401.GQ3011@hindley.org.uk> <4c3f732a-b026-a7a6-bea5-c49fff74267a@tana.it> <1a948266-b3c2-e3c6-6f91-fda019203850@tana.it> <20200727101344.wovj4a2l4g4xb2hk@function> <20200727101344.wovj4a2l4g4xb2hk@function> <4c3f732a-b026-a7a6-bea5-c49fff74267a@tana.it> Received: via spool by 498-submit@bugs.devuan.org id=B498.159586981229945 (code B ref 498); Mon, 27 Jul 2020 17:18:01 +0000 Received: (at 498) by bugs.devuan.org; 27 Jul 2020 17:10:12 +0000 Delivered-To: devuanbugs@dyne.org Received: from tupac3.dyne.org [195.169.149.119] by doc.devuan.org with IMAP (fetchmail-6.4.0.beta4) for (single-drop); Mon, 27 Jul 2020 17:10:12 +0000 (UTC) Received: from wmail.tana.it (wmail.tana.it [62.94.243.226]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by vm6.ganeti.dyne.org (Postfix) with UTF8SMTPS id 2766CF604BE for <498@bugs.devuan.org>; Mon, 27 Jul 2020 19:01:14 +0200 (CEST) Authentication-Results: vm6.ganeti.dyne.org; dkim=pass (1152-bit key; secure) header.d=tana.it header.i=@tana.it header.b="BEFcr2Ej"; dkim-atps=neutral DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tana.it; s=delta; t=1595869273; bh=OeAyQIUy2iB26YtEzRGjpIi4J5tLdgziq2OmoQA7bS4=; l=2388; h=To:References:From:Cc:Date:In-Reply-To; b=BEFcr2EjbllFMnfh6JognRNJsF/RuURA5kRrzpHviNc09tS6qUnSbjAgOFphAKtLt t9xTGQ1rHQ9B4qErxKop9qYwKpz9KYqe1g/AMLq0IxIMcxACcxyZeXTgpdWt/W48O1 3L93L766yrFumDdK0c/VeQFRyB354nkZS/IJ4/LRqE9PJSIvXzMvrJKvnMjqm Authentication-Results: tana.it; auth=pass (details omitted) Received: from [172.25.197.111] (pcale.tana [172.25.197.111]) (AUTH: CRAM-MD5 uXDGrn@SYT0/k, TLS: TLS1.3,128bits,ECDHE_RSA_AES_128_GCM_SHA256) by wmail.tana.it with ESMTPSA id 00000000005DC013.000000005F1F0859.00003549; Mon, 27 Jul 2020 19:01:13 +0200 To: 966343@bugs.debian.org From: Alessandro Vesely Cc: 498@bugs.devuan.org Message-ID: <15a0722b-ed58-a804-7d66-12ab5693329e@tana.it> Date: Mon, 27 Jul 2020 19:01:13 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0 MIME-Version: 1.0 In-Reply-To: <20200727101344.wovj4a2l4g4xb2hk@function> Content-Type: text/plain; charset=us-ascii Content-Language: en-US Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-2.5 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_MED,RCVD_IN_MSPIKE_H3, RCVD_IN_MSPIKE_WL,SPF_HELO_PASS,SPF_PASS autolearn=disabled version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on tupac3.dyne.org On Mon, 27 Jul 2020 12:13:44 +0200 Samuel Thibault wrote: > Alessandro Vesely, le lun. 27 juil. 2020 11:47:34 +0200, a ecrit: > > So this turns out to be a documentation bug. The execve man page should mention that EACCESS can result as an (unforeseen) apparmor impediment. > > Well, basically all system calls would then need this... Yeah, likely. How many man pages have snippets like "[...] denied for one of the directories in the path [...]"? Yet, considering the following examples, they seem to have been written manually rather than resorting to some sort of script: EACCES The requested access to the file is not allowed, or search permission is denied for one of the directories in the path prefix of pathname, or the file did not exist yet and write access to the parent directory is not allowed. (See also path_resolution(7).) EACCES Search permission is denied on a component of the path prefix of filename or the name of a script interpreter. (See also path_resolution(7).) EACCES Write access to the directory containing newpath is denied, or search permission is denied for one of the directories in the path prefix of oldpath or newpath. (See also path_resolution(7).) EACCES Search permission is denied for a component of the path prefix, or the named file is not writable by the user. (See also path_resolution(7).) EACCES Search permission is denied on a component of the path prefix. (See also path_resolution(7).) Philip Couling commented that the man page /could/ mention security extensions since they are prevelent. See: https://unix.stackexchange.com/questions/600174/identical-execve-causes-permission-denied-for-one-program-but-not-another/600529#comment1121270_600529 For execve, for example, one could add that permissions are not derived from file flags only. For example: OLD: EACCES Execute permission is denied for the file or a script or ELF interpreter. NEW: EACCES Execute permission for the file or a script or ELF interpreter is denied either by flags or by security modules. Would that be correct? Do all "DENIED" operations result in EACCES? And what do other security modules do? Hmm... Starting to document that mess from the point of view of programs getting such failure codes would allow better logging and better troubleshooting. Best Ale From unknown Thu Mar 28 20:19:43 2024 X-Loop: owner@bugs.devuan.org Subject: bug#498: Bug#966343: bug#498: libc6: Permission denied, intermittent in execve Reply-To: Aurelien Jarno , 498@bugs.devuan.org Resent-From: Aurelien Jarno Resent-To: devuan-bugs@lists.dyne.org Resent-CC: devuan-dev@lists.dyne.org X-Loop: owner@bugs.devuan.org Resent-Date: Tue, 28 Jul 2020 22:33:02 +0000 Resent-Message-ID: Resent-Sender: owner@bugs.devuan.org X-Devuan-PR-Message: followup 498 X-Devuan-PR-Package: libc6 X-Devuan-PR-Keywords: debian References: <159583832778.5523.4267786497736057480.reportbug@pcale.tana> <4c3f732a-b026-a7a6-bea5-c49fff74267a@tana.it> <20200727091401.GQ3011@hindley.org.uk> <4c3f732a-b026-a7a6-bea5-c49fff74267a@tana.it> <1a948266-b3c2-e3c6-6f91-fda019203850@tana.it> <20200727101344.wovj4a2l4g4xb2hk@function> <20200727101344.wovj4a2l4g4xb2hk@function> <4c3f732a-b026-a7a6-bea5-c49fff74267a@tana.it> <15a0722b-ed58-a804-7d66-12ab5693329e@tana.it> <4c3f732a-b026-a7a6-bea5-c49fff74267a@tana.it> Received: via spool by 498-submit@bugs.devuan.org id=B498.15959748016097 (code B ref 498); Tue, 28 Jul 2020 22:33:02 +0000 Received: (at 498) by bugs.devuan.org; 28 Jul 2020 22:20:01 +0000 Delivered-To: devuanbugs@dyne.org Received: from tupac3.dyne.org [195.169.149.119] by doc.devuan.org with IMAP (fetchmail-6.4.0.beta4) for (single-drop); Tue, 28 Jul 2020 22:20:01 +0000 (UTC) Received: from hall.aurel32.net (hall.aurel32.net [195.154.113.88]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by vm6.ganeti.dyne.org (Postfix) with ESMTPS id E3FEEF608DA for <498@bugs.devuan.org>; Wed, 29 Jul 2020 00:14:59 +0200 (CEST) Authentication-Results: vm6.ganeti.dyne.org; dkim=pass (2048-bit key; secure) header.d=aurel32.net header.i=@aurel32.net header.b="RzTXUsbY"; dkim-atps=neutral DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=aurel32.net ; s=202004.hall; h=In-Reply-To:Content-Type:MIME-Version:References: Message-ID:Subject:Cc:To:From:Date:Content-Transfer-Encoding:From:Reply-To: Subject:Content-ID:Content-Description:X-Debbugs-Cc; bh=7Ksfl4NFsU2PVvrTieylN3C1A8tB6Y4MzI+HHhAGCVM=; b=RzTXUsbYTW6aIA37CKsfnDrhTI 3wtLyT0rRx6GD+uLIH7Eeh5/ZuVxVEh7eV9sQ7lSpz+EcfB8b5wkiCrGySQ5/yubvJWe7TCMVhp8B 2PqJxYSJCo+qSBYgfWCF//Jgi46uEXZXFGdIB6RmS+qNhvoIrxiIFqk+o8lwkenne7AUqC3zRJBlG wG+ssVBfztaNes5My7P2v5HComNyKkZ65FBuFSLXh2Ygz3NCFRxee4jOcwMd7vEcsKd93v4AOyfWc Hd8LfTnfLXNQxOzDo+KyqR1blN1b/DUaJeqMHILqeehVX4C3h6qLd6jUldgCFL28IEMfMk5tuvEtu Ee4BeBPg==; Received: from ohm.aurel32.net ([2001:bc8:30d7:111::1000]) by hall.aurel32.net with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1k0Xs9-0003eu-EP; Wed, 29 Jul 2020 00:14:57 +0200 Received: from aurel32 by ohm.aurel32.net with local (Exim 4.94) (envelope-from ) id 1k0Xs6-0028Fv-Kv; Wed, 29 Jul 2020 00:14:54 +0200 Date: Wed, 29 Jul 2020 00:14:54 +0200 From: Aurelien Jarno To: Alessandro Vesely , 966343-done@bugs.debian.org Cc: 498@bugs.devuan.org Message-ID: <20200728221454.GJ8215@aurel32.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <15a0722b-ed58-a804-7d66-12ab5693329e@tana.it> User-Agent: Mutt/1.14.0 (2020-05-02) X-Spam-Status: No, score=-0.2 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_PASS autolearn=disabled version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on tupac3.dyne.org Hi, On 2020-07-27 19:01, Alessandro Vesely wrote: > On Mon, 27 Jul 2020 12:13:44 +0200 Samuel Thibault wrote: > > Alessandro Vesely, le lun. 27 juil. 2020 11:47:34 +0200, a ecrit: > > > So this turns out to be a documentation bug. The execve man page should mention that EACCESS can result as an (unforeseen) apparmor impediment. > > > > Well, basically all system calls would then need this... > > > Yeah, likely. How many man pages have snippets like "[...] denied for one of the directories in the path [...]"? > > Yet, considering the following examples, they seem to have been written manually rather than resorting to some sort of script: There are many syscalls that might end up returning EACCESS. Mapping them to the corresponding libc functions might not be always fully linear. [snip] > Philip Couling commented that the man page /could/ mention security extensions since they are prevelent. See: > https://unix.stackexchange.com/questions/600174/identical-execve-causes-permission-denied-for-one-program-but-not-another/600529#comment1121270_600529 > > For execve, for example, one could add that permissions are not derived from file flags only. For example: > > OLD: > > EACCES Execute permission is denied for the file or a script or ELF interpreter. > > NEW: > > EACCES Execute permission for the file or a script or ELF interpreter is denied either by flags or by security modules. > > > Would that be correct? Do all "DENIED" operations result in EACCES? And what do other security modules do? Hmm... Starting to document that mess from the point of view of programs getting such failure codes would allow better logging and better troubleshooting. That seems correct for apparmor (although it can also return ENOENT in case of race condition), not sure about other security modules. seccomp just kills the process, not sure you want to mention that in every possible manpages. In any case this is now out of scope for the glibc package, so I am closing the bug. If you feel that the doc needs to be updated, please open a bug against the corresponding package. Regards, Aurelien -- Aurelien Jarno GPG: 4096R/1DDD8C9B aurelien@aurel32.net http://www.aurel32.net