@jblainemitre indeed - but presumably one can pick any directory? I'm
assuming there's no particular requirement that the selected dir is
world-writeable like /tmp and /var/tmp (or at least there doesn't seem
to be in my setup?)
--
You received this bug notification because you are a member of
On Ubuntu 18.04 with noexec on /tmp running 'apt-get install -y selinux'
and then doing a required reboot will give you a non-booting host.
As an aside, the same security guidance (CIS Benchmarks for one) about
noexec on /tmp should be applied to /var/tmp, so changing
My workaround uses a dedicated directory for apt that is noexec as well
but becomes temporally during installs:
/etc/fstab:
tmpfs /tmp tmpfs defaults,noatime,nosuid,nodev,noexec,mode=1777,size=512M 0 0
tmpfs /var/tmp/apt tmpfs
defaults,noatime,nosuid,nodev,noexec,mode=1777,size=512M 0 0
I found this discussion / bug thread while looking for a solution to an
inability to install packages on a VPS in my Dreamhost account.
Dreamhost has /tmp mounted with noexec and there's some kind of
permission preventing me from remounting it to turn off noexec.
I don't know the ins and outs of
by invoking the executable with the help of the dynamic Linux loader.
Although you are right, in real world vulnerability exploitation you
often don't control much of the environment, sometimes even the way an
executable gets executed.
The reason most people mount tmp with noexec is that it is
Please let the user decide if using a /tmp noexec mount point is more
secure or not.
That doesn't even make sense. It's a fact that mounting /tmp with
noexec doesn't give you any extra security simply because you can
simply circumvent it by invoking the executable with the help of the
dynamic
In shared hosting environments, even root may not have control over
mount points, so Don't do that and noexec is useless are not useful
replies.
APT::ExtractTemplates::TempDir /var/tmp;
Is useful, however. Thank you, Hans. (In my case, /var/tmp is also
noexec, but I can set it to something
What exactly ConfModule.pm do on preconfigure stage and why running
from /tmp is necessary?
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/90085
Title:
When /tmp is mounted noexec, preconfigure
Seconded. I've seen and been annoyed by the horkage. Ogres, onions, and
security all have layers.
--
When /tmp is mounted noexec, preconfigure fails
https://bugs.launchpad.net/bugs/90085
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
Please let the user decide if using a /tmp noexec mount point is more secure or
not.
I think it is, for many reasons, and I'm a security analyst. Of course it can
bring a false sense of security, like everything else, but do we give up
firewalls, IDS and even passwords for the same reason? No
Precisely so: don't do that. It's not like noexec actually buys you any
real security, as the system is riddled with workarounds for it (e.g.
you can trivially execute a non-executable script in most scripting
languages simply by explicitly using the interpreter name).
** Bug watch added: Debian
** Changed in: debconf (Debian)
Status: Unknown = Confirmed
--
When /tmp is mounted noexec, preconfigure fails
https://bugs.launchpad.net/bugs/90085
You received this bug notification because you are a member of Ubuntu
Bugs, which is the bug contact for Ubuntu.
--
ubuntu-bugs mailing
ConfModule.pm is part of debconf. However, I suspect that the debconf
developers will say that running with /tmp noexec is not supported. Ie,
Don't Do That Then.
** Changed in: debconf (Ubuntu)
Sourcepackagename: dpkg = debconf
--
When /tmp is mounted noexec, preconfigure fails
This has nothing to do with mysql-dfsg-5.0 package. It may be an issue
with dpkg.
** Changed in: dpkg (Ubuntu)
Sourcepackagename: mysql-dfsg-5.0 = dpkg
--
When /tmp is mounted noexec, preconfigure fails
https://bugs.launchpad.net/bugs/90085
You received this bug notification because you are a
I'm not an expert, but I'd try adding these two lines to /etc/apt/apt.conf:
DPkg::Pre-Invoke {mount -o remount,exec /tmp;};
DPkg::Post-Invoke {mount -o remount /tmp;};
This should remount /tmp as exec long enough for preconfigure packages
with apt, then remount again as noexec after
15 matches
Mail list logo
