Fwd: Bug 318135 (debconf: error on "noexec" mounted /tmp filesystem ): Needs postinst version check ?

To: debian-russian@lists.debian.org
Subject: Fwd: Bug 318135 (debconf: error on "noexec" mounted /tmp filesystem ): Needs postinst version check ?
From: Alexey Pechnikov <pechnikov@mobigroup.ru>
Date: Fri, 18 Jun 2010 01:33:56 +0400
Message-id: <AANLkTikzGTxUnhpHNkJNnUObDVxFZXvZdrWb4l6SKqih@mail.gmail.com>

Про сабж я уже пару раз писал в рассылку и отсылал багрепорты, вот к
чему пришли на текущий момент.

---------- Forwarded message ----------
From: James R. Van Zandt <...>
Date: 2010/5/28
Subject: Re: Bug 318135: Needs postinst version check ?
To: Savvas Radevic <...>, Alexey Pechnikov <...>

Savvas Radevic -

Thanks for suggesting a postinst check.  However, I think checking
for specific version numbers is too fragile - it might not have been
the immediately preceding version that corrupted the conf file.  I
decided instead to check directly for a valid conf file
(i.e. consisting only of comments, empty lines, and assignments of
integers values to variables).

Alexey Pechnikov -

Regarding the error
> Can't exec "/tmp/adjtimex.config.78111": Permission denied

which as you point out is bug # 566247
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=566247

i.e. a known side-effect of mounting /tmp "noexec" as recommended here:
> http://www.debian-administration.org/article/Making_/tmp_non-executable

I find there the warning
> The only problem now is that when apt-get upgrades your system it will
> sometimes place scripts inside the temp directory which will now not
> be executable.

but also the fix:
> The fix for this is to temporarily make the temporary directory
> executable before running apt-get and then remove the execution bits
> afterwards. This would be a troublesome thing to remember doing
> ourselves - but thankfully we can set it up to be automatic.
>
>
> Add the following to the file /etc/apt/apt.conf:
>
> DPkg::Pre-Invoke{"mount -o remount,exec /tmp";};
> DPkg::Post-Invoke {"mount -o remount /tmp";};
>
> This contains two lines, one running before any packing installation
> and one afterwards. They merely execute the commands required to add
> and remove the execute permissions on the /tmp

...so it appears somebody only partially implemented the "noexec"
option.

By the way, I think it's actually dpkg that runs the scripts.  If a
sysadmin runs dpkg directly rather than using apt-get, I wouldn't
expect the suggested entries in /etc/apt/apt.conf to help.

         - Jim Van Zandt

-- 
Best regards, Alexey Pechnikov.
http://pechnikov.tel/

Reply to:

Prev by Date: Re: ACL в exim
Next by Date: Re: ACL в exim
Previous by thread: Re: 3d ускорение в squeeze на radeon
Next by thread: Использование courier-maildrop в postfix для доставки в Maildir
Index(es):
- Date
- Thread