Re: Making /tmp noexec
On 2010-11-12 14:30 +0100, James Allsopp wrote:
> Hi,
> I was reading this page about making tmp non-executable
> (http://pario.no/2007/10/04/making-tmp-non-executable/) but it seems a
> little out of date as I'm using Squeeze.
>
> I changed fstab, and edited by 70debconf to
>
> DPkg::Pre-Install-Pkgs {"mount -o remount,exec
> /tmp";"/usr/sbin/dpkg-preconfigure --apt || true";};
> DPkg::Post-Invoke{"mount -o remount /tmp";};
A better option would be to set APT::ExtractTemplates::TempDir to a
directory where programs can be executed. See apt-extracttemplates(1).
> is this correct? Aptitude still works fine, but I was wondering if
> anyone had experience of pitfalls with this?
While dpkg is running, programs in /tmp are executable. If you're
paranoid enough, this may worry you.
> Would I replicate this for my /var partition
If you do this, you have to relocate /var/lib/dpkg/info to another
filesystem and bind-mount or symlink it so that the package maintainer
scripts can be run.
> and is there any point to doing this with /home?
It may help a little if you cannot trust your users, but note that they
can still run (at least) shell, perl and awk scripts by invoking the
interpreter.
Sven
Reply to: