Having a non-executable /tmp (noexec) wreaks havoc with apt-get

Jan 5th, 2012 | By | Category: Linux / Freebsd

For performance reasons I choose tmpfs as the filesystem of choice for /tmp and for security reasons I always make sure that /tmp has a noexec flag attached to it.  I’ve been admining webservers for 10 years now and by far the single greatest system wide breach of security happens with a script being placed in /tmp and being executed.  8 times out of 10 I would say.  So of course we can make sure that /tmp doesnt’ allow anything to be executed from inside of it however when it comes time to use apt-get and a program needs to be preconfigured you are going to run into a little problem, that being that nothing works and the program won’t install, spewing out the following:

Preconfiguring packages …
Can’t exec “/tmp/ssl-cert.config.16841″: Permission denied at /usr/share/perl/5.10/IPC/Open3.pm line 168.
open2: exec of /tmp/ssl-cert.config.16841 configure failed at /usr/share/perl5/Debconf/ConfModule.pm line 59
ssl-cert failed to preconfigure, with exit status 255
dpkg: unrecoverable fatal error, aborting:
syntax error: unknown group ‘Debian-exim’ in statoverride file
E: Sub-process /usr/bin/dpkg returned an error code (2)

So to get around that the boys over at Debian-Administration we’re kind enough to post the following solution:

Add the following to the file /etc/apt/apt.conf:

DPkg::Pre-Invoke{"mount -o remount,exec /tmp";};
DPkg::Post-Invoke {"mount -o remount /tmp";};
This contains two lines, one running before any packing installation and one afterwards. They merely execute the commands required to add and remove the execute permissions on the /tmp


Tags: , , , , , , ,

One Comment to “Having a non-executable /tmp (noexec) wreaks havoc with apt-get”

  1. JoZ3 says:

    Thanks men!!!

Leave a Comment