Hello LilyPond users,
I’ve created a chroot jail for LilyPond 2.18.2 on Ubuntu 12.04.4 LTS which I installed by executing the binary
lilypond-2.18.2-1.linux-64.sh. I have followed the instructions the instructions on
http://www.lilypond.org/doc/v2.19/Documentation/usage/command_002dline-usage#lilypond-in-chroot-jail
and it works only if the loopfile is mounted WITHOUT “noexec”.
The lilypond binary will be executed on .ly files of unknown origin and I cannot use the “-dsafe” option since
it breaks some functionality. Still I try to make rendering as safe as possible by using the “noexec” mount option
as suggested in the manual here:
I’ve used a minimal example for testing:
address@hidden:~# cat /mnt/lilyloop/lilyhome/test.ly
\version "2.14.1"
{
% middle tie looks funny here:
<c' d'' b''>8. ~ <c' d'' b''>8
}
The user „pigpen“ has sudo rights to execute /usr/local/bin/lilypond
Case 1: Jail mounted WITHOUT “noexec” - /home/lily/loopfile on /mnt/lilyloop type ext3 (rw,nosuid,nodev)
address@hidden:~$ sudo /usr/local/bin/lilypond -jlily,lily,/mnt/lilyloop,/lilyhome --png --header=texidoc test.ly
GNU LilyPond 2.18.2
Processing `test.ly'
Parsing...
Interpreting music...
Preprocessing graphical objects...
Finding the ideal number of pages...
(process:3701): GLib-WARNING **: getpwuid_r(): failed due to unknown user id (1002)
Fitting music on 1 page...
Drawing systems...
Layout output to `test.ps'...
Converting to PNG...
Success: compilation successfully completed
Case 2: Jail mounted WITH “noexec” - /home/lily/loopfile on /mnt/lilyloop type ext3 (rw,noexec,nosuid,nodev)
address@hidden:~$ sudo /usr/local/bin/lilypond -jlily,lily,/mnt/lilyloop,/lilyhome --png --header=texidoc test.ly
GNU LilyPond 2.18.2
Processing `test.ly'
Parsing...
Interpreting music...
Preprocessing graphical objects...
Finding the ideal number of pages...
(process:3783): GLib-WARNING **: getpwuid_r(): failed due to unknown user id (1002)
(process:3783): Pango-WARNING **: /usr/local/lilypond/usr/bin/..//lib/pango/1.6.0/modules/pango-basic-fc.so: failed to map segment from shared object: Operation not permitted
(process:3783): Pango-WARNING **: Failed to load Pango module '/usr/local/lilypond/usr/bin/..//lib/pango/1.6.0/modules/pango-basic-fc' for id 'BasicScriptEngineFc'
(process:3783): Pango-WARNING **: failed to choose a font, expect ugly output. engine-type='PangoRenderFc', script='common'
(process:3783): Pango-CRITICAL **: pango_fc_font_lock_face: assertion `PANGO_IS_FC_FONT (font)' failed
What am I doing wrong? Is the setup still safe without the “noexec” option?
Thank you all in advance,
Marc
Marc Reymann
Systemadministration
Hallo Welt! - Medienwerkstatt GmbH
Residenzstraße 2
93047 Regensburg
Tel. +49 (0) 941 - 66 0 80-195
Fax +49 (0) 941 - 66 0 80-189
Sitz: Regensburg
Amtsgericht: Regensburg
Handelsregister: HRB 10467
E.USt.Nr.: DE 253050833
Geschäftsführer: Anja Ebersbach, Markus Glaser, Dr. Richard Heigl, Radovan Kubani