[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

apt-get and mounting /tmp with noexec option


I have mounted my /tmp directory (which has it's own partition) with the noexec option. The reason i did this, was that a poorly written cgi-script caused a binary to be downloaded and executed in /tmp. Luckily, the firewall prevented it from doing any harm, but i wanted to prevent this from happening again. In the future i plan to place apache in a chroot jail, but in the meantime this seemed like a good thing to do. Here is the line from my /etc/fstab:

/dev/sda9	/tmp	ext2	noexec,nosuid,rw	0	2

Unfortunately, having a /tmp with noexec conflicts with apt, which uses the /tmp directory for temporary configuration scripts:

# apt-get upgrade
Reading Package Lists... Done
Building Dependency Tree... Done
1 packages upgraded, 0 newly installed, 0 to remove and 0  not upgraded.
Need to get 1086kB of archives. After unpacking 0B will be used.
Do you want to continue? [Y/n]
Get:1 http://security.debian.org stable/updates/main cvs 1.11.1p1debian-9 [1086kB]
Fetched 1086kB in 0s (4849kB/s)
Preconfiguring packages ...
Can't exec "/tmp/config.14901": Permission denied at /usr/share/perl/5.6.1/IPC/Open3.pm line 159. open2: exec of /tmp/config.14901 configure 1.11.1p1debian-8.1 failed at /usr/share/perl5/Debconf/ConfModule.pm line 44
cvs failed to preconfigure, with exit status 255
(Reading database ... 27704 files and directories currently installed.)
Preparing to replace cvs 1.11.1p1debian-8.1 (using .../cvs_1.11.1p1debian-9_i386.deb) ...
Unpacking replacement cvs ...
Setting up cvs (1.11.1p1debian-9) ...

Is it considered bad practice to mount /tmp with the noexec option? If not, is there a way to tell apt to use another directory?

- Arnoud Warmerdam

Reply to: