apt-get and mounting /tmp with noexec option
I have mounted my /tmp directory (which has it's own partition) with the
noexec option. The reason i did this, was that a poorly written cgi-script
caused a binary to be downloaded and executed in /tmp. Luckily, the
firewall prevented it from doing any harm, but i wanted to prevent this
from happening again. In the future i plan to place apache in a chroot
jail, but in the meantime this seemed like a good thing to do. Here is the
line from my /etc/fstab:
/dev/sda9 /tmp ext2 noexec,nosuid,rw 0 2
Unfortunately, having a /tmp with noexec conflicts with apt, which uses the
/tmp directory for temporary configuration scripts:
# apt-get upgrade
Reading Package Lists... Done
Building Dependency Tree... Done
1 packages upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Need to get 1086kB of archives. After unpacking 0B will be used.
Do you want to continue? [Y/n]
Get:1 http://security.debian.org stable/updates/main cvs 1.11.1p1debian-9
Fetched 1086kB in 0s (4849kB/s)
Preconfiguring packages ...
Can't exec "/tmp/config.14901": Permission denied at
/usr/share/perl/5.6.1/IPC/Open3.pm line 159.
open2: exec of /tmp/config.14901 configure 1.11.1p1debian-8.1 failed at
/usr/share/perl5/Debconf/ConfModule.pm line 44
cvs failed to preconfigure, with exit status 255
(Reading database ... 27704 files and directories currently installed.)
Preparing to replace cvs 1.11.1p1debian-8.1 (using
Unpacking replacement cvs ...
Setting up cvs (1.11.1p1debian-9) ...
Is it considered bad practice to mount /tmp with the noexec option? If not,
is there a way to tell apt to use another directory?
- Arnoud Warmerdam