A recent 10.2-STABLE no longer builds on a no-exec /usr/src file system
Mark Martinec
Mark.Martinec+freebsd at ijs.si
Thu Jan 14 15:42:44 UTC 2016
Prompted by recent security advisories I did a 'make buildworld'
on a fresh svn checkout, only to find out that it seems the 'exec'
mount flag on /usr/src is still required for a successful build.
This wasn't so for 10.2, and I hope it won't become a requirement
in 10.3 - or at least it should be clearly documented in release notes.
Mark
On 2015-12-07 16:35, Mark Martinec wrote:
> So, is this a new state of affairs that /usr/src file system
> needs to be mounted exec in order for buildworld to succeed,
> or is this an unintended change and I should file a bug report?
>
> Mark
>
>
> On 2015-11-26 19:44, Miroslav Lachman wrote:
>> Mark Martinec wrote on 11/26/2015 19:31:
>>> Up to about a week ago building world on FreeBSD 10.2-STABLE went
>>> just fine. Today after svn update the build fails:
>>>
>>>
>>> # make buildworld
>>> [...]
>>>
>>> CC='cc ' mkdep -f .depend.getprotoent_test -a
>>> -I/usr/src/lib/libc/tests/net -I/usr/src/lib/libnetbsd
>>> -I/usr/src/contrib/netbsd-tests -std=gnu99
>>> /usr/src/contrib/netbsd-tests/lib/libc/net/t_getprotoent.c
>>> echo getprotoent_test: /usr/obj/usr/src/tmp/usr/lib/libc.a
>>> /usr/obj/usr/src/tmp/usr/lib/private/libatf-c.a >>
>>> .depend.getprotoent_test
>>> (cd /usr/src/lib/libc/tests/net && make -f
>>> /usr/src/lib/libc/tests/net/Makefile _RECURSING_PROGS= SUBDIR=
>>> PROG=ether_aton_test DEPENDFILE=.depend.ether_aton_test
>>> .MAKE.DEPENDFILE=.depend.ether_aton_test depend)
>>> /usr/src/contrib/netbsd-tests/lib/libc/net/gen_ether_subr
>>> /usr/src/sys/net/if_ethersubr.c aton_ether_subr.c
>>> make[7]:
>>> exec(/usr/src/contrib/netbsd-tests/lib/libc/net/gen_ether_subr)
>>> failed (Permission denied)
>>> *** Error code 1
>>>
>>> Stop.
>>> make[7]: stopped in /usr/src/lib/libc/tests/net
>>> *** Error code 1
>>>
>>>
>>> It turns out that our file system /usr/src had an "exec" flag
>>> turned off, so now running a command:
>>> /usr/src/contrib/netbsd-tests/lib/libc/net/gen_ether_subr
>>> fails with "Permission denied".
>>>
>>> It would be valuable if building a system on an exec-protected
>>> src file system would continue to be possible.
>>>
>>> Not sure if the
>>> /usr/src/contrib/netbsd-tests/lib/libc/net/gen_ether_subr
>>> is the only such new command breaking the build. Anyway, a simple
>>> workaround is to run shell from a command line instead of as a
>>> shebang, i.e.:
>>>
>>> # /bin/sh
>>> /usr/src/contrib/netbsd-tests/lib/libc/net/gen_ether_subr
>>>
>>> instead of:
>>>
>>> # /usr/src/contrib/netbsd-tests/lib/libc/net/gen_ether_subr
>>
>> I was puzzled by similar thing years ago. I was using /var/db and /tmp
>> mounted with noexec. And then there was some changes. Ports need
>> /var/db with exec because of some script in /var/db/pkg and /tmp must
>> have exec too for buildworld or installworld (I don't remember it
>> well, now I always do mount -u -o current,exec /tmp before build +
>> install world and kernel)
>>
>> Anyway - it would be better to not have these partitions mounted with
>> exec.
>>
>> Miroslav Lachman
> _______________________________________________
> freebsd-stable at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-stable
> To unsubscribe, send any mail to
> "freebsd-stable-unsubscribe at freebsd.org"
More information about the freebsd-stable
mailing list