Re: Package configuration with /tmp mounted noexec

To: debian-user@lists.debian.org
Subject: Re: Package configuration with /tmp mounted noexec
From: "Karsten M. Self" <kmself@ix.netcom.com>
Date: Tue, 23 Oct 2001 02:31:28 -0700
Message-id: <[🔎] 20011023023127.D1516@navel.introspect>
Mail-followup-to: debian-user@lists.debian.org
In-reply-to: <[🔎] Pine.LNX.4.21.0110231826220.23414-100000@daedalus.andrew.net.au>; from andrew@andrew.net.au on Tue, Oct 23, 2001 at 06:28:18PM +1000
References: <[🔎] 20011023011005.C373@navel.introspect> <[🔎] Pine.LNX.4.21.0110231826220.23414-100000@daedalus.andrew.net.au>

on Tue, Oct 23, 2001 at 06:28:18PM +1000, Andrew Pollock (andrew@andrew.net.au) wrote:
> On Tue, 23 Oct 2001, Karsten M. Self wrote:
> 
> > on Tue, Oct 23, 2001 at 02:37:23PM +1000, Andrew Pollock (andrew@andrew.net.au) wrote:
> > > Hi,
> > > 
> > > I've got /tmp mounted rw,noexec,nosuid,nodev because I think I read somewhere
> > > that that was a good way to go security-wise.
> > 
> > It is, but...
> > 
> > > It seems that some package related configuration stuff writes
> > > temporary scripts into /tmp, which then don't run because /tmp's
> > > mounted noexec
> > 
> > ...it creates problems.
> > 
> > Incidentally, what package is doing this?  I'd been asked this onece
> > after sugesting 'noexec' and wasn't aware of specific executables.
> > I've also found that the PCMCIA cardmgr wants to put a device file
> > on /tmp, and had to modify the init.d script for it to do a remount.
> 
> This particular occasion was the faqomatic package, I was upgrading to
> the version in unstable. I'm not sure whether it's a debconf thing or
> a Perl thing. I'm still learning the internals of packages, and the
> scripts internal to the package don't make a lot of sense to me at the
> moment.

Hmm...

Sounds like the install scripts may be somewhat borked.  I've taken a
quick read through debian-policy and I'm not sure this does or doesn't
correspond.  Might not hurt to ask though.

> > Note that *any* mount option is going to be relatively easy to
> > change with the -remount option -- this can be done without
> > umounting the partition.  I'd prolly aquiesce and mount /tmp
> > executable, seeing as there are several pretty trivial ways of
> > getting around this exclusion, so it is somewhat pointless.
> 
> Yeah, I think I'll do that.

It's the easy way out, and I don't think it's too far wrong.

Peace.

-- 
Karsten M. Self <kmself@ix.netcom.com>       http://kmself.home.netcom.com/
 What part of "Gestalt" don't you understand?             Home of the brave
  http://gestalt-system.sourceforge.net/                   Land of the free
   Free Dmitry! Boycott Adobe! Repeal the DMCA! http://www.freesklyarov.org
Geek for Hire                     http://kmself.home.netcom.com/resume.html

Attachment: pgpKFhlNK7rwI.pgp
Description: PGP signature

Reply to:

References:
- Re: Package configuration with /tmp mounted noexec
  - From: "Karsten M. Self" <kmself@ix.netcom.com>
- Re: Package configuration with /tmp mounted noexec
  - From: Andrew Pollock <andrew@andrew.net.au>

Prev by Date: Re: Package configuration with /tmp mounted noexec
Next by Date: dosemu character sets
Previous by thread: Re: Package configuration with /tmp mounted noexec
Next by thread: Re: Package configuration with /tmp mounted noexec
Index(es):
- Date
- Thread