On Sat, Apr 07, 2001 at 02:13:06PM +0200, Matus fantomas Uhlar wrote: > Hello, > > I mounted /var as noexec/nodev because of security reasons. > I created partition /exec for using it on scripts etc that needs to be > executed. > > Now I can't install packages - dpkg extracts package into > /var/lig/dpkg/tmp.ci directory which is created for every new package and > removed after installasion. > > the workaround could be moving whole /var/lig/dpkg to /exec partition and > making a symlink from /var/lib. > > Well I don't like this way. prerm and postinst scripts are stored in > /var/lib/dpkg/info - making THIS a symlink seems much better. > > but I even would like dpkg to put all scripts in separate directory and run > it from there. > > making tmp.ci a symlink to /exec is impossible because that symlink would be > removed every time dpkg is called > > Therefore I propose changing dpkg behaviour - store all scripts in separate > directory that wouldn't be removed every time dpkg is called. > > comments? yes, just remove the noexec for /var. noexec provides no real security whatsoever. nosuid,nodev are more useful. try this: $ cp /bin/date /noexecfs $ /noexecfs/date (you get a permission denied) $ /lib/ld-2.1.3.so /noexecfs/date (date runs normally) this is for potato, woody/sid would probably be /lib/ld-2.2.2.so or something. the point is noexec does not prevent you from running binaries on that filesystem. same thing with shell scripts, /bin/sh /noexecfs/shellscript.sh works just fine without even execute permissions. -- Ethan Benson http://www.alaska.net/~erbenson/
Attachment:
pgp3B71odFmX1.pgp
Description: PGP signature