On 21/12/2015 00:14, Jacob Appelbaum wrote:
> I was left with:
> [ 1802.373906] grsec: denied untrusted exec (due to not being in
> trusted group and file in non-root-owned directory) of
> /run/user/1000/orcexec.bCtW1V by
> /usr/bin/pulseaudio[alsa-source-ALC:3038] uid/euid:1000/1000
> gid/egid:1000/1000, parent /lib/systemd/systemd[systemd:1]
> uid/euid:0/0 gid/egid:0/0
> [ 1802.373967] grsec: denied untrusted exec (due to not being in
> trusted group and file in non-root-owned directory) of
> /home/error/orcexec.SzaIXb by
> /usr/bin/pulseaudio[alsa-source-ALC:3038] uid/euid:1000/1000
> gid/egid:1000/1000, parent /lib/systemd/systemd[systemd:1]
> uid/euid:0/0 gid/egid:0/0
> [ 1802.374015] grsec: denied untrusted exec (due to not being in
> trusted group and file in world-writable directory) of
> /tmp/orcexec.5bPuTr by /usr/bin/pulseaudio[alsa-source-ALC:3038]
> uid/euid:1000/1000 gid/egid:1000/1000, parent
> /lib/systemd/systemd[systemd:1] uid/euid:0/0 gid/egid:0/0
> I have no idea why pulse audio is trying to exec anything but audio
> works fine regardless - so I'm just going to ignore it.

grsecurity enforce a healthy execution environment not respected by liborc. 
Pulseaudio creates executable files in /tmp, writable by everyone (with the 
sticky-bit exception), which are then forbidden from being executed.

You can set $TMPDIR to a private directory (e.g. /home/<user>/tmp) and this 
should do the trick. However, the better solution is to create a private FS 
namespace for your user (e.g. using pam_namespace) to polyinstanciate a private 
/tmp for every user.


Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to