Hello LilyPond users,
I've created a chroot jail for LilyPond 2.18.2 on Ubuntu 12.04.4 LTS which I
installed by executing the binary
lilypond-2.18.2-1.linux-64.sh. I have followed the instructions the
instructions on
http://www.lilypond.org/doc/v2.19/Documentation/usage/command_002dline-usage#lilypond-in-chroot-jail
and it works only if the loopfile is mounted WITHOUT noexec.
The lilypond binary will be executed on .ly files of unknown origin and I
cannot use the -dsafe option since
it breaks some functionality. Still I try to make rendering as safe as possible
by using the noexec mount option
as suggested in the manual here:
http://www.lilypond.org/doc/v2.19/Documentation/usage/command_002dline-usage#basic-command-line-options-for-lilypond
I've used a minimal example for testing:
root@box:~# cat /mnt/lilyloop/lilyhome/test.ly
\version 2.14.1
{
% middle tie looks funny here:
c' d'' b''8. ~ c' d'' b''8
}
The user pigpen has sudo rights to execute /usr/local/bin/lilypond
Case 1: Jail mounted WITHOUT noexec - /home/lily/loopfile on /mnt/lilyloop
type ext3 (rw,nosuid,nodev)
pigpen@box:~$ sudo /usr/local/bin/lilypond -jlily,lily,/mnt/lilyloop,/lilyhome
--png --header=texidoc test.ly
GNU LilyPond 2.18.2
Processing `test.ly'
Parsing...
Interpreting music...
Preprocessing graphical objects...
Finding the ideal number of pages...
(process:3701): GLib-WARNING **: getpwuid_r(): failed due to unknown user id
(1002)
Fitting music on 1 page...
Drawing systems...
Layout output to `test.ps'...
Converting to PNG...
Success: compilation successfully completed
Case 2: Jail mounted WITH noexec - /home/lily/loopfile on /mnt/lilyloop type
ext3 (rw,noexec,nosuid,nodev)
pigpen@box:~$ sudo /usr/local/bin/lilypond -jlily,lily,/mnt/lilyloop,/lilyhome
--png --header=texidoc test.ly
GNU LilyPond 2.18.2
Processing `test.ly'
Parsing...
Interpreting music...
Preprocessing graphical objects...
Finding the ideal number of pages...
(process:3783): GLib-WARNING **: getpwuid_r(): failed due to unknown user id
(1002)
(process:3783): Pango-WARNING **:
/usr/local/lilypond/usr/bin/..//lib/pango/1.6.0/modules/pango-basic-fc.so:
failed to map segment from shared object: Operation not permitted
(process:3783): Pango-WARNING **: Failed to load Pango module
'/usr/local/lilypond/usr/bin/..//lib/pango/1.6.0/modules/pango-basic-fc' for id
'BasicScriptEngineFc'
(process:3783): Pango-WARNING **: failed to choose a font, expect ugly output.
engine-type='PangoRenderFc', script='common'
(process:3783): Pango-CRITICAL **: pango_fc_font_lock_face: assertion
`PANGO_IS_FC_FONT (font)' failed
What am I doing wrong? Is the setup still safe without the noexec option?
Thank you all in advance,
Marc
Marc Reymann
Systemadministration
[Industriepreis]http://www.blue-spice.org/de/loesungen/packages/bluespice-docu/
Hallo Welt! - Medienwerkstatt GmbH
Residenzstraße 2
93047 Regensburg
Tel. +49 (0) 941 - 66 0 80-195
Fax +49 (0) 941 - 66 0 80-189
www.hallowelt.bizhttp://www.hallowelt.biz/
reym...@hallowelt.bizmailto:reym...@hallowelt.biz
Sitz: Regensburg
Amtsgericht: Regensburg
Handelsregister: HRB 10467
E.USt.Nr.: DE 253050833
Geschäftsführer: Anja Ebersbach, Markus Glaser, Dr. Richard Heigl, Radovan
Kubani
___
lilypond-user mailing list
lilypond-user@gnu.org
https://lists.gnu.org/mailman/listinfo/lilypond-user