# Why do (some) ports insist on executing stuff from /tmp?



## ShelLuser (Dec 6, 2016)

Hi gang,

This doesn't happen often, but I once again ran into a port which build apparently failed for no reason. I postponed the investigation because of the low priority and now that I am looking into it... Yups: multimedia/ffmpeg is 'guilty as charged':


```
===>  Configuring for ffmpeg-2.8.8_9,1
Unable to create and execute files in /tmp.  Set the TMPDIR environment
variable to another directory and make sure that it is not mounted noexec.
Sanity test failed.
```
This is of course true. I use ZFS and indeed, /tmp is set up as non-exec. This is to prevent possible issues with websites which theoretically could dump stuff in /tmp and execute it.

At first I considered e-mailing the maintainer, after all: don't we have a staging directory for quite a long time now? But when re-reading that page I couldn't help wonder if my assumption was correct: should this be used for the problem I'm describing here?

So yeah, can anyone shed light on this? Is the use of /tmp like this intended or should this have been swapped for the stage directory?


----------



## kpa (Dec 6, 2016)

That's from the configure part of the build and that's not something the ports infrastructure can help with if the upstream developer is bullheaded enough to insist on using a wrong directory for his/her own purposes. Same problem probably exists in quite a few ports that use /tmp directory during the actual build phase for their temporary files. In some cases the build process doesn't even honor TMPDIR so your only option is to patch the source if the issue is critical to you.

Staging directory btw has nothing to do with temporary files during the builds, its only purpose is to construct a clean directory hierarchy for package creation so that the pkg-plist listing can be verified with the actual contents of what was built. It is a temporary holding place but only after the actual building of the software has finished.

I would also say that this issue is yet another reason in favor of using package builders over building the ports on the host. With package builders you can separate the build processes from the host that may have custom security policies such as non-executable /tmp that don't play well with ports building.


----------



## ShelLuser (Dec 7, 2016)

kpa said:


> That's from the configure part of the build and that's not something the ports infrastructure can help with if the upstream developer is bullheaded enough to insist on using a wrong directory for his/her own purposes.


Thanks for your comment. Yeah, that's the part I wasn't too sure about. For example, when looking at multimedia/ffmpeg it's indeed hard coded into the configure:


```
# set temporary file name
: ${TMPDIR:=$TEMPDIR}
: ${TMPDIR:=$TMP}
: ${TMPDIR:=/tmp}
```
So I somewhat assumed that the stage directory could also be used for this. But that's obviously not the case.



kpa said:


> I would also say that this issue is yet another reason in favor of using package builders over building the ports on the host. With package builders you can separate the build processes from the host that may have custom security policies such as non-executable /tmp that don't play well with ports building.


Yups, I used to have a machine dedicated for that but because of some cutbacks it had to go. Right now I'm looking into the alternative to move the whole process into a Jail. But the current approach works for now.


----------

