the bug you pointed out is not really the main issue i am having. This issue with noexec on temp just flashed the real issue.
Just to make life a little bit more difficult for canned exploits on a
web server, I've tried to eliminate directories where daemon users have
both write and exec ability. In particular, /tmp is mounted noexec.
That, however, makes preconfiguring packages unhappy:
Preconfiguring packages ...
Can't exec "/tmp/libc6.config.32281": Permission denied at /usr/share/perl/5.8/IPC/Open3.pm line 168.
open2: exec of /tmp/libc6.config.32281 configure 2.7-6 failed at /usr/share/perl5/Debconf/ConfModule.pm line 59
libc6 failed to preconfigure, with exit status 9
To debconf's credit, it survives and configures later, so it's mostly
just ugly.
The real problem is that debconf behaves differently when needs to install pre-depends packages and the outcome is wrong when /tmp is executable
but behaves as expected at least from what it says in the documentation (pre-depends packages have to be fully installed including the execution of postint scripts) when
'noexec' is applied on /tmp. Debconf survives the errors and have a fallback to continue configuring the packages and this fallback is actually doing what is expected.
is there an option to configure debconf to always do this kind of fallback?