It is reasonable to request that these hooks use -e instead of -x for maximum compatibility. However:
> Is ubuntu officially supporting hardening (I think so as Debian is doing it)? No. The existence of third-party "hardening" guides does not translate to Ubuntu supporting this configuration. dpkg itself relies *extensively* on the ability to execute scripts from /tmp, as described at <https://askubuntu.com/questions/574259/will-mounting-tmp-with- noexec-and-nosuid-cause-problems>. You mention the Securing Debian HOWTO, which does not say that this is recommended or mandatory for securing a system, and specifically calls out problems with noexec /tmp and the package manager. https://www.debian.org/doc/manuals/securing-debian-howto/ch4.en.html#s4.10 (The linked bug is closed with a recommended workaround. If you were using that workaround, you would not be having problems with cryptsetup's hooks, since initramfs-tools also respects TMPDIR.) And these hooks come from Debian as-is. So this is no more supported by the cryptsetup package in Debian than it is in Ubuntu. ** Changed in: cryptsetup (Ubuntu) Importance: Undecided => Wishlist ** Changed in: cryptsetup (Ubuntu) Status: New => Triaged -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1791241 Title: If /var/tmp is mounted with noexec the scripts skip the copy of some files To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cryptsetup/+bug/1791241/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
