Re: noexec goal for hardening Debian (was Re: Bug#746496: general: Package upgrade scripts partly fail when /tmp is noexec)
On Fri, 02 May 2014, Thorsten Glaser wrote:
> Henrique de Moraes Holschuh dixit:
> >On Wed, 30 Apr 2014, Pierre wrote:
> >> When /tmp is configured as noexec (for example /tmp in RAM), some
> >> scripts fail on package update.
>
> […]
> >It may look like it is working, but we don't properly support it,
>
> Sounds like a release goal for jessie+1 or jessie+2.
No, it is useless, wasted effort. NOEXEC $TMPDIR (and NOEXEC /tmp) will
always break the world.
There is no shortage of troublesome release goals that are worth the effort.
NOEXEC /tmp is not one of them.
E.g. it would be a lot better to, instead, adopt per-user (that can also
mean per-daemon/per-service) exclusive $TMPDIR enhanced by per-user mount
namespaces that also take care of /tmp, or something to that effect. But
those won't be NOEXEC.
--
"One disk to rule them all, One disk to find them. One disk to bring
them all and in the darkness grind them. In the Land of Redmond
where the shadows lie." -- The Silicon Valley Tarot
Henrique Holschuh
Reply to: