Fwd: Bug 318135 (debconf: error on "noexec" mounted /tmp filesystem ): Needs postinst version check ?
Про сабж я уже пару раз писал в рассылку и отсылал багрепорты, вот к
чему пришли на текущий момент.
---------- Forwarded message ----------
From: James R. Van Zandt <...>
Date: 2010/5/28
Subject: Re: Bug 318135: Needs postinst version check ?
To: Savvas Radevic <...>, Alexey Pechnikov <...>
Savvas Radevic -
Thanks for suggesting a postinst check. However, I think checking
for specific version numbers is too fragile - it might not have been
the immediately preceding version that corrupted the conf file. I
decided instead to check directly for a valid conf file
(i.e. consisting only of comments, empty lines, and assignments of
integers values to variables).
Alexey Pechnikov -
Regarding the error
> Can't exec "/tmp/adjtimex.config.78111": Permission denied
which as you point out is bug # 566247
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=566247
i.e. a known side-effect of mounting /tmp "noexec" as recommended here:
> http://www.debian-administration.org/article/Making_/tmp_non-executable
I find there the warning
> The only problem now is that when apt-get upgrades your system it will
> sometimes place scripts inside the temp directory which will now not
> be executable.
but also the fix:
> The fix for this is to temporarily make the temporary directory
> executable before running apt-get and then remove the execution bits
> afterwards. This would be a troublesome thing to remember doing
> ourselves - but thankfully we can set it up to be automatic.
>
>
> Add the following to the file /etc/apt/apt.conf:
>
> DPkg::Pre-Invoke{"mount -o remount,exec /tmp";};
> DPkg::Post-Invoke {"mount -o remount /tmp";};
>
> This contains two lines, one running before any packing installation
> and one afterwards. They merely execute the commands required to add
> and remove the execute permissions on the /tmp
...so it appears somebody only partially implemented the "noexec"
option.
By the way, I think it's actually dpkg that runs the scripts. If a
sysadmin runs dpkg directly rather than using apt-get, I wouldn't
expect the suggested entries in /etc/apt/apt.conf to help.
- Jim Van Zandt
--
Best regards, Alexey Pechnikov.
http://pechnikov.tel/
Reply to: