Devuan bug report logs - #498
libc6: Permission denied, intermittent in execve

Package: libc6; Reported by: Alessandro Vesely <vesely@tana.it>; Keywords: debian; merged with #497; Forwarded to https://bugs.debian.org/966343; Maintainer for libc6 is (unknown).

Message received at 498@bugs.devuan.org:


Received: (at 498) by bugs.devuan.org; 28 Jul 2020 22:20:01 +0000
Return-Path: <aurelien@aurel32.net>
Delivered-To: devuanbugs@dyne.org
Received: from tupac3.dyne.org [195.169.149.119]
	by doc.devuan.org with IMAP (fetchmail-6.4.0.beta4)
	for <debbugs@localhost> (single-drop); Tue, 28 Jul 2020 22:20:01 +0000 (UTC)
Received: from hall.aurel32.net (hall.aurel32.net [195.154.113.88])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by vm6.ganeti.dyne.org (Postfix) with ESMTPS id E3FEEF608DA
	for <498@bugs.devuan.org>; Wed, 29 Jul 2020 00:14:59 +0200 (CEST)
Authentication-Results: vm6.ganeti.dyne.org;
	dkim=pass (2048-bit key; secure) header.d=aurel32.net header.i=@aurel32.net header.b="RzTXUsbY";
	dkim-atps=neutral
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=aurel32.net
	; s=202004.hall; h=In-Reply-To:Content-Type:MIME-Version:References:
	Message-ID:Subject:Cc:To:From:Date:Content-Transfer-Encoding:From:Reply-To:
	Subject:Content-ID:Content-Description:X-Debbugs-Cc;
	bh=7Ksfl4NFsU2PVvrTieylN3C1A8tB6Y4MzI+HHhAGCVM=; b=RzTXUsbYTW6aIA37CKsfnDrhTI
	3wtLyT0rRx6GD+uLIH7Eeh5/ZuVxVEh7eV9sQ7lSpz+EcfB8b5wkiCrGySQ5/yubvJWe7TCMVhp8B
	2PqJxYSJCo+qSBYgfWCF//Jgi46uEXZXFGdIB6RmS+qNhvoIrxiIFqk+o8lwkenne7AUqC3zRJBlG
	wG+ssVBfztaNes5My7P2v5HComNyKkZ65FBuFSLXh2Ygz3NCFRxee4jOcwMd7vEcsKd93v4AOyfWc
	Hd8LfTnfLXNQxOzDo+KyqR1blN1b/DUaJeqMHILqeehVX4C3h6qLd6jUldgCFL28IEMfMk5tuvEtu
	Ee4BeBPg==;
Received: from ohm.aurel32.net ([2001:bc8:30d7:111::1000])
	by hall.aurel32.net with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256)
	(Exim 4.92)
	(envelope-from <aurelien@aurel32.net>)
	id 1k0Xs9-0003eu-EP; Wed, 29 Jul 2020 00:14:57 +0200
Received: from aurel32 by ohm.aurel32.net with local (Exim 4.94)
	(envelope-from <aurelien@aurel32.net>)
	id 1k0Xs6-0028Fv-Kv; Wed, 29 Jul 2020 00:14:54 +0200
Date: Wed, 29 Jul 2020 00:14:54 +0200
From: Aurelien Jarno <aurelien@aurel32.net>
To: Alessandro Vesely <vesely@tana.it>, 966343-done@bugs.debian.org
Cc: 498@bugs.devuan.org
Subject: Re: Bug#966343: bug#498: libc6: Permission denied, intermittent in
 execve
Message-ID: <20200728221454.GJ8215@aurel32.net>
References: <159583832778.5523.4267786497736057480.reportbug@pcale.tana>
 <4c3f732a-b026-a7a6-bea5-c49fff74267a@tana.it>
 <20200727091401.GQ3011@hindley.org.uk>
 <4c3f732a-b026-a7a6-bea5-c49fff74267a@tana.it>
 <1a948266-b3c2-e3c6-6f91-fda019203850@tana.it>
 <20200727101344.wovj4a2l4g4xb2hk@function>
 <20200727101344.wovj4a2l4g4xb2hk@function>
 <4c3f732a-b026-a7a6-bea5-c49fff74267a@tana.it>
 <15a0722b-ed58-a804-7d66-12ab5693329e@tana.it>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <15a0722b-ed58-a804-7d66-12ab5693329e@tana.it>
User-Agent: Mutt/1.14.0 (2020-05-02)
X-Spam-Status: No, score=-0.2 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
	DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_PASS autolearn=disabled
	version=3.4.2
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on tupac3.dyne.org

Hi,

On 2020-07-27 19:01, Alessandro Vesely wrote:
> On Mon, 27 Jul 2020 12:13:44 +0200 Samuel Thibault <sthibault@debian.org> wrote:
> > Alessandro Vesely, le lun. 27 juil. 2020 11:47:34 +0200, a ecrit:
> > > So this turns out to be a documentation bug.  The execve man page should mention that EACCESS can result as an (unforeseen) apparmor impediment.
> > 
> > Well, basically all system calls would then need this...
> 
> 
> Yeah, likely.  How many man pages have snippets like "[...] denied for one of the directories in the path [...]"?
>
> Yet, considering the following examples, they seem to have been written manually rather than resorting to some sort of script:

There are many syscalls that might end up returning EACCESS. Mapping
them to the corresponding libc functions might not be always fully
linear.

[snip]

> Philip Couling commented that the man page /could/ mention security extensions since they are prevelent. See:
> https://unix.stackexchange.com/questions/600174/identical-execve-causes-permission-denied-for-one-program-but-not-another/600529#comment1121270_600529
> 
> For execve, for example, one could add that permissions are not derived from file flags only.  For example:
> 
> OLD:
> 
>        EACCES Execute permission is denied for the file or a script or ELF interpreter.
> 
> NEW:
> 
>        EACCES Execute permission for the file or a script or ELF interpreter is denied either by flags or by security modules.
> 
> 
> Would that be correct?  Do all "DENIED" operations result in EACCES?  And what do other security modules do?  Hmm...  Starting to document that mess from the point of view of programs getting such failure codes would allow better logging and better troubleshooting.

That seems correct for apparmor (although it can also return ENOENT in
case of race condition), not sure about other security modules. seccomp
just kills the process, not sure you want to mention that in every
possible manpages.

In any case this is now out of scope for the glibc package, so I am
closing the bug. If you feel that the doc needs to be updated, please
open a bug against the corresponding package.

Regards,
Aurelien

-- 
Aurelien Jarno                          GPG: 4096R/1DDD8C9B
aurelien@aurel32.net                 http://www.aurel32.net

Acknowledgement sent to Aurelien Jarno <aurelien@aurel32.net>:
Extra info received and forwarded to list. Copy sent to devuan-dev@lists.dyne.org. Full text available.
Information forwarded to devuan-bugs@lists.dyne.org, devuan-dev@lists.dyne.org:
bug#498; Package libc6. Full text available.

Message received at 498@bugs.devuan.org:


Received: (at 498) by bugs.devuan.org; 27 Jul 2020 17:10:12 +0000
Return-Path: <vesely@tana.it>
Delivered-To: devuanbugs@dyne.org
Received: from tupac3.dyne.org [195.169.149.119]
	by doc.devuan.org with IMAP (fetchmail-6.4.0.beta4)
	for <debbugs@localhost> (single-drop); Mon, 27 Jul 2020 17:10:12 +0000 (UTC)
Received: from wmail.tana.it (wmail.tana.it [62.94.243.226])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by vm6.ganeti.dyne.org (Postfix) with UTF8SMTPS id 2766CF604BE
	for <498@bugs.devuan.org>; Mon, 27 Jul 2020 19:01:14 +0200 (CEST)
Authentication-Results: vm6.ganeti.dyne.org;
	dkim=pass (1152-bit key; secure) header.d=tana.it header.i=@tana.it header.b="BEFcr2Ej";
	dkim-atps=neutral
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tana.it; s=delta;
	t=1595869273; bh=OeAyQIUy2iB26YtEzRGjpIi4J5tLdgziq2OmoQA7bS4=;
	l=2388; h=To:References:From:Cc:Date:In-Reply-To;
	b=BEFcr2EjbllFMnfh6JognRNJsF/RuURA5kRrzpHviNc09tS6qUnSbjAgOFphAKtLt
	 t9xTGQ1rHQ9B4qErxKop9qYwKpz9KYqe1g/AMLq0IxIMcxACcxyZeXTgpdWt/W48O1
	 3L93L766yrFumDdK0c/VeQFRyB354nkZS/IJ4/LRqE9PJSIvXzMvrJKvnMjqm
Authentication-Results: tana.it; auth=pass (details omitted)
Received: from [172.25.197.111] (pcale.tana [172.25.197.111])
  (AUTH: CRAM-MD5 uXDGrn@SYT0/k, TLS: TLS1.3,128bits,ECDHE_RSA_AES_128_GCM_SHA256)
  by wmail.tana.it with ESMTPSA
  id 00000000005DC013.000000005F1F0859.00003549; Mon, 27 Jul 2020 19:01:13 +0200
To: 966343@bugs.debian.org
References: <159583832778.5523.4267786497736057480.reportbug@pcale.tana>
 <4c3f732a-b026-a7a6-bea5-c49fff74267a@tana.it>
 <20200727091401.GQ3011@hindley.org.uk>
 <4c3f732a-b026-a7a6-bea5-c49fff74267a@tana.it>
 <1a948266-b3c2-e3c6-6f91-fda019203850@tana.it>
 <20200727101344.wovj4a2l4g4xb2hk@function>
 <20200727101344.wovj4a2l4g4xb2hk@function>
Subject: Re: Bug#966343: bug#498: libc6: Permission denied, intermittent in
 execve
From: Alessandro Vesely <vesely@tana.it>
Cc: 498@bugs.devuan.org
Message-ID: <15a0722b-ed58-a804-7d66-12ab5693329e@tana.it>
Date: Mon, 27 Jul 2020 19:01:13 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
 Thunderbird/68.10.0
MIME-Version: 1.0
In-Reply-To: <20200727101344.wovj4a2l4g4xb2hk@function>
Content-Type: text/plain; charset=us-ascii
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-Spam-Status: No, score=-2.5 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
	DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_MED,RCVD_IN_MSPIKE_H3,
	RCVD_IN_MSPIKE_WL,SPF_HELO_PASS,SPF_PASS autolearn=disabled
	version=3.4.2
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on tupac3.dyne.org

On Mon, 27 Jul 2020 12:13:44 +0200 Samuel Thibault <sthibault@debian.org> wrote:
> Alessandro Vesely, le lun. 27 juil. 2020 11:47:34 +0200, a ecrit:
> > So this turns out to be a documentation bug.  The execve man page should mention that EACCESS can result as an (unforeseen) apparmor impediment.
> 
> Well, basically all system calls would then need this...


Yeah, likely.  How many man pages have snippets like "[...] denied for one of the directories in the path [...]"?

Yet, considering the following examples, they seem to have been written manually rather than resorting to some sort of script:


       EACCES The requested access to the file is not allowed, or search permission is denied for one of the directories in the  path
              prefix  of  pathname, or the file did not exist yet and write access to the parent directory is not allowed.  (See also
              path_resolution(7).)

       EACCES Search permission is denied on a component of the path prefix of filename or the name of a  script  interpreter.   (See
              also path_resolution(7).)

       EACCES Write access to the directory containing newpath is denied, or search permission is denied for one of  the  directories
              in the path prefix of oldpath or newpath.  (See also path_resolution(7).)

       EACCES Search permission is denied for a component of the path prefix, or the named file is not writable by  the  user.
              (See also path_resolution(7).)

       EACCES Search permission is denied on a component of the path prefix.  (See also path_resolution(7).)


Philip Couling commented that the man page /could/ mention security extensions since they are prevelent. See:
https://unix.stackexchange.com/questions/600174/identical-execve-causes-permission-denied-for-one-program-but-not-another/600529#comment1121270_600529

For execve, for example, one could add that permissions are not derived from file flags only.  For example:

OLD:

       EACCES Execute permission is denied for the file or a script or ELF interpreter.

NEW:

       EACCES Execute permission for the file or a script or ELF interpreter is denied either by flags or by security modules.


Would that be correct?  Do all "DENIED" operations result in EACCES?  And what do other security modules do?  Hmm...  Starting to document that mess from the point of view of programs getting such failure codes would allow better logging and better troubleshooting.


Best
Ale


Acknowledgement sent to Alessandro Vesely <vesely@tana.it>:
Extra info received and forwarded to list. Copy sent to devuan-dev@lists.dyne.org. Full text available.
Information forwarded to devuan-bugs@lists.dyne.org, devuan-dev@lists.dyne.org:
bug#498; Package libc6. Full text available.

Message received at 498@bugs.devuan.org:


Received: (at 498) by bugs.devuan.org; 27 Jul 2020 10:20:13 +0000
Return-Path: <sthibault@debian.org>
Delivered-To: devuanbugs@dyne.org
Received: from tupac3.dyne.org [195.169.149.119]
	by doc.devuan.org with IMAP (fetchmail-6.4.0.beta4)
	for <debbugs@localhost> (single-drop); Mon, 27 Jul 2020 10:20:12 +0000 (UTC)
Received: from hera.aquilenet.fr (hera.aquilenet.fr [185.233.100.1])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by vm6.ganeti.dyne.org (Postfix) with ESMTPS id 4717CF60B00
	for <498@bugs.devuan.org>; Mon, 27 Jul 2020 12:13:48 +0200 (CEST)
Received: from localhost (localhost [127.0.0.1])
	by hera.aquilenet.fr (Postfix) with ESMTP id 93BDA96FE;
	Mon, 27 Jul 2020 12:13:46 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new at aquilenet.fr
Received: from hera.aquilenet.fr ([127.0.0.1])
	by localhost (hera.aquilenet.fr [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id AhiH7Du3Bw43; Mon, 27 Jul 2020 12:13:46 +0200 (CEST)
Received: from function (lfbn-bor-1-797-11.w86-234.abo.wanadoo.fr [86.234.239.11])
	by hera.aquilenet.fr (Postfix) with ESMTPSA id ED57F96DF;
	Mon, 27 Jul 2020 12:13:45 +0200 (CEST)
Received: from samy by function with local (Exim 4.94)
	(envelope-from <sthibault@debian.org>)
	id 1k008e-003kur-QM; Mon, 27 Jul 2020 12:13:44 +0200
Date: Mon, 27 Jul 2020 12:13:44 +0200
From: Samuel Thibault <sthibault@debian.org>
To: Alessandro Vesely <vesely@tana.it>, 966343@bugs.debian.org
Cc: Mark Hindley <mark@hindley.org.uk>, 498@bugs.devuan.org
Subject: Re: Bug#966343: bug#498: libc6: Permission denied, intermittent in
 execve
Message-ID: <20200727101344.wovj4a2l4g4xb2hk@function>
References: <159583832778.5523.4267786497736057480.reportbug@pcale.tana>
 <4c3f732a-b026-a7a6-bea5-c49fff74267a@tana.it>
 <20200727091401.GQ3011@hindley.org.uk>
 <4c3f732a-b026-a7a6-bea5-c49fff74267a@tana.it>
 <1a948266-b3c2-e3c6-6f91-fda019203850@tana.it>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <1a948266-b3c2-e3c6-6f91-fda019203850@tana.it>
Organization: I am not organized
User-Agent: NeoMutt/20170609 (1.8.3)
X-Spam-Status: No, score=-0.0 required=5.0 tests=SPF_HELO_PASS
	autolearn=disabled version=3.4.2
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on tupac3.dyne.org

Alessandro Vesely, le lun. 27 juil. 2020 11:47:34 +0200, a ecrit:
> So this turns out to be a documentation bug.  The execve man page should mention that EACCESS can result as an (unforeseen) apparmor impediment.

Well, basically all system calls would then need this...

Samuel

Acknowledgement sent to Samuel Thibault <sthibault@debian.org>:
Extra info received and forwarded to list. Copy sent to devuan-dev@lists.dyne.org. Full text available.
Information forwarded to devuan-bugs@lists.dyne.org, devuan-dev@lists.dyne.org:
bug#498; Package libc6. Full text available.

Message received at 498@bugs.devuan.org:


Received: (at 498) by bugs.devuan.org; 27 Jul 2020 10:00:01 +0000
Return-Path: <mark@hindley.org.uk>
Delivered-To: devuanbugs@dyne.org
Received: from tupac3.dyne.org [195.169.149.119]
	by doc.devuan.org with IMAP (fetchmail-6.4.0.beta4)
	for <debbugs@localhost> (single-drop); Mon, 27 Jul 2020 10:00:01 +0000 (UTC)
Received: from mx.hindley.org.uk (mohindley.plus.com [81.174.245.179])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by vm6.ganeti.dyne.org (Postfix) with ESMTPS id 201D5F60C32
	for <498@bugs.devuan.org>; Mon, 27 Jul 2020 11:53:18 +0200 (CEST)
Received: from apollo.hindleynet ([192.168.1.3] helo=hindley.org.uk)
	by mx.hindley.org.uk with smtp (Exim 4.84_2)
	(envelope-from <mark@hindley.org.uk>)
	id 1jzzoq-0003A8-Vo; Mon, 27 Jul 2020 10:53:17 +0100
Received: (nullmailer pid 571 invoked by uid 1000);
	Mon, 27 Jul 2020 09:53:16 -0000
Date: Mon, 27 Jul 2020 10:53:16 +0100
From: Mark Hindley <mark@hindley.org.uk>
To: Alessandro Vesely <vesely@tana.it>
Cc: 498@bugs.devuan.org, 966343@bugs.debian.org
Subject: Re: bug#498: libc6: Permission denied, intermittent in execve
Message-ID: <20200727095316.GT3011@hindley.org.uk>
References: <159583832778.5523.4267786497736057480.reportbug@pcale.tana>
 <4c3f732a-b026-a7a6-bea5-c49fff74267a@tana.it>
 <20200727091401.GQ3011@hindley.org.uk>
 <1a948266-b3c2-e3c6-6f91-fda019203850@tana.it>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <1a948266-b3c2-e3c6-6f91-fda019203850@tana.it>
User-Agent: Mutt/1.10.1 (2018-07-13)
X-Spam-Status: No, score=-0.0 required=5.0 tests=SPF_PASS autolearn=disabled
	version=3.4.2
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on tupac3.dyne.org

On Mon, Jul 27, 2020 at 11:47:34AM +0200, Alessandro Vesely wrote:
> > However, one thought that occurs to me is whether apparmor is causing this? Does
> > disabling it[1] restore predictable behaviour?
> 
> Bingo!
> 
> Jul 27 09:47:25 pcale kernel: [ 1569.887279] audit: type=1400 audit(1595836045.642:33): apparmor="DENIED" operation="exec" profile="thunderbird" name="/opt/lib
> reoffice6.4/program/soffice" pid=5402 comm="gio-launch-desk" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
> 
> I dunno how come apparmor got installed.  Probably it happened when I upgraded
> to Beowulf.

Yes, it is now the default in Debian buster and Devuan beowulf has inherited
that.

Mark

Acknowledgement sent to Mark Hindley <mark@hindley.org.uk>:
Extra info received and forwarded to list. Copy sent to devuan-dev@lists.dyne.org. Full text available.
Information forwarded to devuan-bugs@lists.dyne.org, devuan-dev@lists.dyne.org:
bug#498; Package libc6. Full text available.

Message received at 498@bugs.devuan.org:


Received: (at 498) by bugs.devuan.org; 27 Jul 2020 09:50:23 +0000
Return-Path: <vesely@tana.it>
Delivered-To: devuanbugs@dyne.org
Received: from tupac3.dyne.org [195.169.149.119]
	by doc.devuan.org with IMAP (fetchmail-6.4.0.beta4)
	for <debbugs@localhost> (single-drop); Mon, 27 Jul 2020 09:50:23 +0000 (UTC)
Received: from wmail.tana.it (wmail.tana.it [62.94.243.226])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by vm6.ganeti.dyne.org (Postfix) with UTF8SMTPS id D6C5AF60C32
	for <498@bugs.devuan.org>; Mon, 27 Jul 2020 11:47:35 +0200 (CEST)
Authentication-Results: vm6.ganeti.dyne.org;
	dkim=pass (1152-bit key; secure) header.d=tana.it header.i=@tana.it header.b="A6kMLst2";
	dkim-atps=neutral
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tana.it; s=delta;
	t=1595843255; bh=M1w3YBJGQluH11gn/N+C1Zi8PYChlxHGILJQ3x5KySM=;
	l=1391; h=To:References:From:Date:In-Reply-To;
	b=A6kMLst2zCCIa7U8NxwBLcfKFUIML9u5lPUS9uIjHwhXb7SjFwz3w8kWNrHyYeLOQ
	 B19W5bX9UFXIycht3ajcO8Qt7OctMUVgWViAvTvdlpSi0t3k+tN24xDZAZHPRdB5n1
	 OAWAsQa9OEg6IWTkLnPqGsyHCRgupXkxTH5R1xkVfyOTh+OlNQkG1CAsFwJ2E
Authentication-Results: tana.it; auth=pass (details omitted)
Received: from [172.25.197.111] (pcale.tana [172.25.197.111])
  (AUTH: CRAM-MD5 uXDGrn@SYT0/k, TLS: TLS1.3,128bits,ECDHE_RSA_AES_128_GCM_SHA256)
  by wmail.tana.it with ESMTPSA
  id 00000000005DC056.000000005F1EA2B7.00007DA7; Mon, 27 Jul 2020 11:47:35 +0200
Subject: Re: bug#498: libc6: Permission denied, intermittent in execve
To: Mark Hindley <mark@hindley.org.uk>, 498@bugs.devuan.org,
  966343@bugs.debian.org
References: <159583832778.5523.4267786497736057480.reportbug@pcale.tana>
 <4c3f732a-b026-a7a6-bea5-c49fff74267a@tana.it>
 <20200727091401.GQ3011@hindley.org.uk>
From: Alessandro Vesely <vesely@tana.it>
Message-ID: <1a948266-b3c2-e3c6-6f91-fda019203850@tana.it>
Date: Mon, 27 Jul 2020 11:47:34 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
 Thunderbird/68.10.0
MIME-Version: 1.0
In-Reply-To: <20200727091401.GQ3011@hindley.org.uk>
Content-Type: text/plain; charset=us-ascii
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-Spam-Status: No, score=-2.5 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
	DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_MED,RCVD_IN_MSPIKE_H3,
	RCVD_IN_MSPIKE_WL,SPF_HELO_PASS,SPF_PASS autolearn=disabled
	version=3.4.2
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on tupac3.dyne.org

Hi Mark,

On Mon 27/Jul/2020 11:14:01 +0200 Mark Hindley wrote:
> On Mon, Jul 27, 2020 at 10:32:15AM +0200, Alessandro Vesely wrote:
>> Package: libc6
>> Version: GNU C Library (Debian GLIBC 2.28-10) stable release version 2.28.
>> Severity: normal
>> 
>> in certain situations, execve fails setting errno to EACCESS.  The same
>> program, launched by the same user in different ways, succeeds or fails
>> according to preceding actions.
> 
> Thanks for this. As you have realised, libc6 is a Debian package that Devuan
> uses directly without recompilation so this issue is correctly dealt with in
> Debian's BTS.
> 
> However, one thought that occurs to me is whether apparmor is causing this? Does
> disabling it[1] restore predictable behaviour?


Bingo!

Jul 27 09:47:25 pcale kernel: [ 1569.887279] audit: type=1400 audit(1595836045.642:33): apparmor="DENIED" operation="exec" profile="thunderbird" name="/opt/lib
reoffice6.4/program/soffice" pid=5402 comm="gio-launch-desk" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0

I dunno how come apparmor got installed.  Probably it happened when I upgraded to Beowulf.

After aa-teardown and purging apparmor, execve works as expected.

So this turns out to be a documentation bug.  The execve man page should mention that EACCESS can result as an (unforeseen) apparmor impediment.


Thank you so much
Ale


Acknowledgement sent to Alessandro Vesely <vesely@tana.it>:
Extra info received and forwarded to list. Copy sent to devuan-dev@lists.dyne.org. Full text available.
Information forwarded to devuan-bugs@lists.dyne.org, devuan-dev@lists.dyne.org:
bug#498; Package libc6. Full text available.
Marked as found in versions 2.28-10. Request was from Mark Hindley <mark@hindley.org.uk> to control@bugs.devuan.org. Full text available.
Set bug forwarded-to-address to 'https://bugs.debian.org/966343'. Request was from Mark Hindley <mark@hindley.org.uk> to 498-submit@bugs.devuan.org. Full text available.
Added tag(s) debian. Request was from Mark Hindley <mark@hindley.org.uk> to 498-submit@bugs.devuan.org. Full text available.
Merged 497 498 Request was from Mark Hindley <mark@hindley.org.uk> to 498-submit@bugs.devuan.org. Full text available.

Message received at 498@bugs.devuan.org:


Received: (at 498) by bugs.devuan.org; 27 Jul 2020 09:20:12 +0000
Return-Path: <mark@hindley.org.uk>
Delivered-To: devuanbugs@dyne.org
Received: from tupac3.dyne.org [195.169.149.119]
	by doc.devuan.org with IMAP (fetchmail-6.4.0.beta4)
	for <debbugs@localhost> (single-drop); Mon, 27 Jul 2020 09:20:12 +0000 (UTC)
Received: from mx.hindley.org.uk (mohindley.plus.com [81.174.245.179])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by vm6.ganeti.dyne.org (Postfix) with ESMTPS id CD493F60B8A
	for <498@bugs.devuan.org>; Mon, 27 Jul 2020 11:14:03 +0200 (CEST)
Received: from apollo.hindleynet ([192.168.1.3] helo=hindley.org.uk)
	by mx.hindley.org.uk with smtp (Exim 4.84_2)
	(envelope-from <mark@hindley.org.uk>)
	id 1jzzCr-0002w4-HG; Mon, 27 Jul 2020 10:14:01 +0100
Received: (nullmailer pid 31961 invoked by uid 1000);
	Mon, 27 Jul 2020 09:14:01 -0000
Date: Mon, 27 Jul 2020 10:14:01 +0100
From: Mark Hindley <mark@hindley.org.uk>
To: Alessandro Vesely <vesely@tana.it>, 498@bugs.devuan.org
Subject: Re: bug#498: libc6: Permission denied, intermittent in execve
Message-ID: <20200727091401.GQ3011@hindley.org.uk>
References: <159583832778.5523.4267786497736057480.reportbug@pcale.tana>
 <4c3f732a-b026-a7a6-bea5-c49fff74267a@tana.it>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <4c3f732a-b026-a7a6-bea5-c49fff74267a@tana.it>
X-Debbugs-No-Ack: No Thanks
User-Agent: Mutt/1.10.1 (2018-07-13)
X-Spam-Status: No, score=-0.0 required=5.0 tests=SPF_PASS autolearn=disabled
	version=3.4.2
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on tupac3.dyne.org

Control: forcemerge 498 497
Control: tags -1 debian
Control: forwarded -1 https://bugs.debian.org/966343

Alessandro

On Mon, Jul 27, 2020 at 10:32:15AM +0200, Alessandro Vesely wrote:
> Package: libc6
> Version: GNU C Library (Debian GLIBC 2.28-10) stable release version 2.28.
> Severity: normal
> 
> 
> -------- Forwarded Message --------
> Subject: libc6: Permission denied, intermittent in execve
> Date: Mon, 27 Jul 2020 10:25:27 +0200
> From: Alessandro Vesely <vesely@tana.it>
> To: Devuan Bug Tracking System <submit@bugs.devuan.org>
> 
> 
> Dear Maintainer,
> 
> in certain situations, execve fails setting errno to EACCESS.  The same
> program, launched by the same user in different ways, succeeds or fails
> according to preceding actions.

Thanks for this. As you have realised, libc6 is a Debian package that Devuan
uses directly without recompilation so this issue is correctly dealt with in
Debian's BTS.

However, one thought that occurs to me is whether apparmor is causing this? Does
disabling it[1] restore predictable behaviour?

Thanks.

Mark


[1]  https://wiki.debian.org/AppArmor/HowToUse#Diagnose_if_a_bug_might_have_been_caused_by_AppArmor


Information forwarded to devuan-bugs@lists.dyne.org, devuan-dev@lists.dyne.org:
bug#498; Package libc6. Full text available.

Message received at submit@bugs.devuan.org:


Received: (at submit) by bugs.devuan.org; 27 Jul 2020 08:40:13 +0000
Return-Path: <vesely@tana.it>
Delivered-To: devuanbugs@dyne.org
Received: from tupac3.dyne.org [195.169.149.119]
	by doc.devuan.org with IMAP (fetchmail-6.4.0.beta4)
	for <debbugs@localhost> (single-drop); Mon, 27 Jul 2020 08:40:13 +0000 (UTC)
Received: from wmail.tana.it (wmail.tana.it [62.94.243.226])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by vm6.ganeti.dyne.org (Postfix) with UTF8SMTPS id C4944F60ACF
	for <submit@bugs.devuan.org>; Mon, 27 Jul 2020 10:32:16 +0200 (CEST)
Authentication-Results: vm6.ganeti.dyne.org;
	dkim=pass (1152-bit key; secure) header.d=tana.it header.i=@tana.it header.b="CN9r887s";
	dkim-atps=neutral
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tana.it; s=delta;
	t=1595838735; bh=zC8GgG2OCI5+W/W4YcXYGCAFbHEHhoZfEyTck4VsPF0=;
	l=1573; h=References:To:Cc:From:Date:In-Reply-To;
	b=CN9r887spjYTEkNUAYUn8uQLJPSjHXm9mciyfVYhAr8mCqqWy3ZEcfOT8ApNweI1X
	 K/fhSKMLsrhgjC76PUed+tYDbFUlFvZDo5kMQoJgAU7MWIlw8SAMpbg4XQjF+E2Va0
	 5dK3Tbaw48bGCqlj0Sx5L2hZnjd7b1+MIhD2pKNDvQgeBM8mtkVB7GL79R4Z1
Authentication-Results: tana.it; auth=pass (details omitted)
Received: from [172.25.197.111] (pcale.tana [172.25.197.111])
  (AUTH: CRAM-MD5 uXDGrn@SYT0/k, TLS: TLS1.3,128bits,ECDHE_RSA_AES_128_GCM_SHA256)
  by wmail.tana.it with ESMTPSA
  id 00000000005DC0B4.000000005F1E910F.00007409; Mon, 27 Jul 2020 10:32:15 +0200
Subject: libc6: Permission denied, intermittent in execve
References: <159583832778.5523.4267786497736057480.reportbug@pcale.tana>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Cc: Devuan Bug Tracking System <submit@bugs.devuan.org>
From: Alessandro Vesely <vesely@tana.it>
X-Forwarded-Message-Id: <159583832778.5523.4267786497736057480.reportbug@pcale.tana>
Message-ID: <4c3f732a-b026-a7a6-bea5-c49fff74267a@tana.it>
Date: Mon, 27 Jul 2020 10:32:15 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
 Thunderbird/68.10.0
MIME-Version: 1.0
In-Reply-To: <159583832778.5523.4267786497736057480.reportbug@pcale.tana>
Content-Type: text/plain; charset=us-ascii
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-Spam-Status: No, score=-2.5 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
	DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_MED,RCVD_IN_MSPIKE_H3,
	RCVD_IN_MSPIKE_WL,SPF_HELO_PASS,SPF_PASS autolearn=disabled
	version=3.4.2
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on tupac3.dyne.org

Package: libc6
Version: GNU C Library (Debian GLIBC 2.28-10) stable release version 2.28.
Severity: normal


-------- Forwarded Message --------
Subject: libc6: Permission denied, intermittent in execve
Date: Mon, 27 Jul 2020 10:25:27 +0200
From: Alessandro Vesely <vesely@tana.it>
To: Devuan Bug Tracking System <submit@bugs.devuan.org>


Dear Maintainer,

in certain situations, execve fails setting errno to EACCESS.  The same
program, launched by the same user in different ways, succeeds or fails
according to preceding actions.

None of the failure conditions for EACCESS is met.

The case at hand happens with an old version of Thunderbird and a LibreOffice
attachment.  After saving the attachment, Thunderbird execs gio-launch-desktop.
The latter tries to exec libreoffice6.4 and fails.

I strace'd the full arguments used in the failed execve(), and copied them to a
simple C program which runs just that execve() call.  When called from the
command line, the program succeeds.  Then I replaced the gio-launch-desktop
executable with my straw men.  When called from Thunderbird, the program fails.

See also:
https://unix.stackexchange.com/questions/600174/permission-denied-intermittent-in-execve


-- System Information:
Distributor ID: Debian
Description:    Devuan GNU/Linux 3 (beowulf)
Release:        3
Codename:       beowulf
Architecture: x86_64

Kernel: Linux 4.19.0-9-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_IE.UTF-8, LC_CTYPE=en_IE.UTF-8 (charmap=UTF-8),
LANGUAGE=en_IE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Acknowledgement sent to Alessandro Vesely <vesely@tana.it>:
New bug report received and forwarded. Copy sent to devuan-dev@lists.dyne.org.

Your message had a Version: pseudo-header with an invalid package version:

GNU C Library (Debian GLIBC 2.28-10) stable release version 2.28.

please either use found or fixed to the control server with a correct version, or reply to this report indicating the correct version so the maintainer (or someone else) can correct it for you.

Full text available.


Report forwarded to devuan-bugs@lists.dyne.org, devuan-dev@lists.dyne.org:
bug#498; Package libc6. Full text available.

Devuan BTS -- Powered by Debian bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997 nCipher Corporation Ltd, 1994-97 Ian Jackson.

Devuan Bugs Owner <owner@bugs.devuan.org>.
Last modified: Sun, 16 Jan 2022 18:39:01 UTC