Re: [DNG] OpenVPN 2.5.1-3+devuan1 packaging vs best practices
On 7/26/22 14:17, Hector Gonzalez Jaime via Dng wrote:
On 7/26/22 10:00, Ken Dibble wrote:
On 7/25/22 09:29, Ken Dibble wrote:
This is the first time I have seen this with any package.
I have no idea whether it has happened with packages not installed
on my systems.
It is my understanding that best practice is noexec on /tmp and that
this is a Debian recommendation.
Here is the relevant line from /etc/fstab.
tmpfs /tmp tmpfs
defaults,noatime,mode=1777,nosuid,noexec,nodev 0 0
Here is the error message.
sudo apt-get dist-upgrade
.
.
Preconfiguring packages ...
Can't exec "/tmp/openvpn.config.NDxHMl": Permission denied at
/usr/lib/x86_64-linux-gnu/perl-base/IPC/Open3.pm line 178.
open2: exec of /tmp/openvpn.config.NDxHMl configure 2.5.1-3+devuan1
failed: Permission denied at /usr/share/perl5/Debconf/ConfModule.pm
line 59.
.
.
The (apparent) recommendation from bug report 129289 in 2002 is to set
APT::ExtractTemplates::TempDir
in apt.conf to some directory which is mounted with exec
and
As of version 0.5.8, apt supports TMPDIR for determining where
apt-extracttemplates puts its temporary files. If you have a noexec
/tmp, use this or other documented means to make apt-extracttemplates
use a directory that does accept executables
As of 2018 Bug #887099, merged with sundry other bug reports of the
same type
Control: reassign -1 debconf 1.5.61
Control: forcemerge 566247 -1
This appears to be a generic issue in debconf, so I'm reassigning it to
debconf and merging it with the existing bugs tracking the same issue.
There doesn't seem to be any activity after that.
Is there a best practice for the method of selecting and setting
this directory?
Thanks,
Ken
Replying to my own message:
It appears that this problem with debconf has been around for 2
decades and
the maintainers are at odds with the debian position about "/tmp" and
noexec.
That being said I am going with
echo "APT::ExtractTemplates::TempDir \"/var/tmp\";"
>/etc/apt/apt.conf.d/50extracttemplates
unless someone has a better idea or a reason not to.
I am aware that Debian does not by default clean up /var/tmp and it
will be my responsibility to
check it for things left around.
This would just make /var/tmp the target for attacks instead of /tmp
if you protect /tmp with noexec, you should do the same with /var/tmp.
I think you could use any root writable dir, I don't see why it would
need to be writable by all users, if apt* is running as root.
If you think it's simpler, you can create a file, say
/etc/apt/apt.conf.d/99-remounttmp.conf with this:
DPkg {
// Auto re-mounting of a exec-only /tmp
Pre-Invoke { "mount -o remount,exec /tmp"; };
Post-Invoke { "test ${NO_APT_REMOUNT:-no} = yes || mount -o
remount,noexec /tmp || true"; };
};
I don't remember where I found this, but have used it for a while.
Thank you very much. Here is the source for that:
https://wiki.debian.org/ReadonlyRoot
I looked forever in the wrong places using debconf as search criteria
since that is
where the issue is (IMO). There are some clues in the apt.conf
manpage, but no index
of allowable directives.
There appears to be an index of allowable directives at
https://github.com/szaydel/Rigel-Major/blob/master/config-files/apt.conf
Like most things you have to know where and how to ask.
The directives are also available with: apt-config dump.
The manpage for apt-config is less than helpful in this instance.
For dump it says: Just show the contents of the configuration space.
which is helpful if you know that the directives are in the contents of
the configuration space,
otherwise, not so much.
I guess that leaves me to create a new partition on each machine to use
as /var/tmp.
Thank you again.
Ken
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] OpenVPN 2.5.1-3+devuan1 packaging vs best practices
On 7/26/22 10:00, Ken Dibble wrote:
On 7/25/22 09:29, Ken Dibble wrote:
This is the first time I have seen this with any package.
I have no idea whether it has happened with packages not installed on
my systems.
It is my understanding that best practice is noexec on /tmp and that
this is a Debian recommendation.
Here is the relevant line from /etc/fstab.
tmpfs /tmp tmpfs defaults,noatime,mode=1777,nosuid,noexec,nodev
0 0
Here is the error message.
sudo apt-get dist-upgrade
.
.
Preconfiguring packages ...
Can't exec "/tmp/openvpn.config.NDxHMl": Permission denied at
/usr/lib/x86_64-linux-gnu/perl-base/IPC/Open3.pm line 178.
open2: exec of /tmp/openvpn.config.NDxHMl configure 2.5.1-3+devuan1
failed: Permission denied at /usr/share/perl5/Debconf/ConfModule.pm
line 59.
.
.
The (apparent) recommendation from bug report 129289 in 2002 is to set
APT::ExtractTemplates::TempDir
in apt.conf to some directory which is mounted with exec
and
As of version 0.5.8, apt supports TMPDIR for determining where
apt-extracttemplates puts its temporary files. If you have a noexec
/tmp, use this or other documented means to make apt-extracttemplates
use a directory that does accept executables
As of 2018 Bug #887099, merged with sundry other bug reports of the same type
Control: reassign -1 debconf 1.5.61
Control: forcemerge 566247 -1
This appears to be a generic issue in debconf, so I'm reassigning it to
debconf and merging it with the existing bugs tracking the same issue.
There doesn't seem to be any activity after that.
Is there a best practice for the method of selecting and setting this
directory?
Thanks,
Ken
Replying to my own message:
It appears that this problem with debconf has been around for 2
decades and
the maintainers are at odds with the debian position about "/tmp" and
noexec.
That being said I am going with
echo "APT::ExtractTemplates::TempDir \"/var/tmp\";"
>/etc/apt/apt.conf.d/50extracttemplates
unless someone has a better idea or a reason not to.
I am aware that Debian does not by default clean up /var/tmp and it
will be my responsibility to
check it for things left around.
This would just make /var/tmp the target for attacks instead of /tmp if
you protect /tmp with noexec, you should do the same with /var/tmp.
I think you could use any root writable dir, I don't see why it would
need to be writable by all users, if apt* is running as root.
If you think it's simpler, you can create a file, say
/etc/apt/apt.conf.d/99-remounttmp.conf with this:
DPkg {
// Auto re-mounting of a exec-only /tmp
Pre-Invoke { "mount -o remount,exec /tmp"; };
Post-Invoke { "test ${NO_APT_REMOUNT:-no} = yes || mount -o
remount,noexec /tmp || true"; };
};
I don't remember where I found this, but have used it for a while.
Thanks,
Ken
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
--
Hector Gonzalez
ca...@genac.org
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] OpenVPN 2.5.1-3+devuan1 packaging vs best practices
On 7/25/22 09:29, Ken Dibble wrote: This is the first time I have seen this with any package. I have no idea whether it has happened with packages not installed on my systems. It is my understanding that best practice is noexec on /tmp and that this is a Debian recommendation. Here is the relevant line from /etc/fstab. tmpfs /tmp tmpfs defaults,noatime,mode=1777,nosuid,noexec,nodev 0 0 Here is the error message. sudo apt-get dist-upgrade . . Preconfiguring packages ... Can't exec "/tmp/openvpn.config.NDxHMl": Permission denied at /usr/lib/x86_64-linux-gnu/perl-base/IPC/Open3.pm line 178. open2: exec of /tmp/openvpn.config.NDxHMl configure 2.5.1-3+devuan1 failed: Permission denied at /usr/share/perl5/Debconf/ConfModule.pm line 59. . . The (apparent) recommendation from bug report 129289 in 2002 is to set APT::ExtractTemplates::TempDir in apt.conf to some directory which is mounted with exec and As of version 0.5.8, apt supports TMPDIR for determining where apt-extracttemplates puts its temporary files. If you have a noexec /tmp, use this or other documented means to make apt-extracttemplates use a directory that does accept executables As of 2018 Bug #887099, merged with sundry other bug reports of the same type Control: reassign -1 debconf 1.5.61 Control: forcemerge 566247 -1 This appears to be a generic issue in debconf, so I'm reassigning it to debconf and merging it with the existing bugs tracking the same issue. There doesn't seem to be any activity after that. Is there a best practice for the method of selecting and setting this directory? Thanks, Ken Replying to my own message: It appears that this problem with debconf has been around for 2 decades and the maintainers are at odds with the debian position about "/tmp" and noexec. That being said I am going with echo "APT::ExtractTemplates::TempDir \"/var/tmp\";" >/etc/apt/apt.conf.d/50extracttemplates unless someone has a better idea or a reason not to. I am aware that Debian does not by default clean up /var/tmp and it will be my responsibility to check it for things left around. Thanks, Ken ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
[DNG] OpenVPN 2.5.1-3+devuan1 packaging vs best practices
This is the first time I have seen this with any package. I have no idea whether it has happened with packages not installed on my systems. It is my understanding that best practice is noexec on /tmp and that this is a Debian recommendation. Here is the relevant line from /etc/fstab. tmpfs /tmp tmpfs defaults,noatime,mode=1777,nosuid,noexec,nodev 0 0 Here is the error message. sudo apt-get dist-upgrade . . Preconfiguring packages ... Can't exec "/tmp/openvpn.config.NDxHMl": Permission denied at /usr/lib/x86_64-linux-gnu/perl-base/IPC/Open3.pm line 178. open2: exec of /tmp/openvpn.config.NDxHMl configure 2.5.1-3+devuan1 failed: Permission denied at /usr/share/perl5/Debconf/ConfModule.pm line 59. . . The (apparent) recommendation from bug report 129289 in 2002 is to set APT::ExtractTemplates::TempDir in apt.conf to some directory which is mounted with exec and As of version 0.5.8, apt supports TMPDIR for determining where apt-extracttemplates puts its temporary files. If you have a noexec /tmp, use this or other documented means to make apt-extracttemplates use a directory that does accept executables As of 2018 Bug #887099, merged with sundry other bug reports of the same type Control: reassign -1 debconf 1.5.61 Control: forcemerge 566247 -1 This appears to be a generic issue in debconf, so I'm reassigning it to debconf and merging it with the existing bugs tracking the same issue. There doesn't seem to be any activity after that. Is there a best practice for the method of selecting and setting this directory? Thanks, Ken ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
