on Tue, Oct 23, 2001 at 06:28:18PM +1000, Andrew Pollock (andrew@andrew.net.au) wrote: > On Tue, 23 Oct 2001, Karsten M. Self wrote: > > > on Tue, Oct 23, 2001 at 02:37:23PM +1000, Andrew Pollock (andrew@andrew.net.au) wrote: > > > Hi, > > > > > > I've got /tmp mounted rw,noexec,nosuid,nodev because I think I read somewhere > > > that that was a good way to go security-wise. > > > > It is, but... > > > > > It seems that some package related configuration stuff writes > > > temporary scripts into /tmp, which then don't run because /tmp's > > > mounted noexec > > > > ...it creates problems. > > > > Incidentally, what package is doing this? I'd been asked this onece > > after sugesting 'noexec' and wasn't aware of specific executables. > > I've also found that the PCMCIA cardmgr wants to put a device file > > on /tmp, and had to modify the init.d script for it to do a remount. > > This particular occasion was the faqomatic package, I was upgrading to > the version in unstable. I'm not sure whether it's a debconf thing or > a Perl thing. I'm still learning the internals of packages, and the > scripts internal to the package don't make a lot of sense to me at the > moment. Hmm... Sounds like the install scripts may be somewhat borked. I've taken a quick read through debian-policy and I'm not sure this does or doesn't correspond. Might not hurt to ask though. > > Note that *any* mount option is going to be relatively easy to > > change with the -remount option -- this can be done without > > umounting the partition. I'd prolly aquiesce and mount /tmp > > executable, seeing as there are several pretty trivial ways of > > getting around this exclusion, so it is somewhat pointless. > > Yeah, I think I'll do that. It's the easy way out, and I don't think it's too far wrong. Peace. -- Karsten M. Self <kmself@ix.netcom.com> http://kmself.home.netcom.com/ What part of "Gestalt" don't you understand? Home of the brave http://gestalt-system.sourceforge.net/ Land of the free Free Dmitry! Boycott Adobe! Repeal the DMCA! http://www.freesklyarov.org Geek for Hire http://kmself.home.netcom.com/resume.html
Attachment:
pgpKFhlNK7rwI.pgp
Description: PGP signature