:: Re: [DNG] OpenVPN 2.5.1-3+devuan1 p…
Forside
Slet denne besked
Besvar denne besked
Skribent: Hector Gonzalez Jaime
Dato:  
Til: dng
Emne: Re: [DNG] OpenVPN 2.5.1-3+devuan1 packaging vs best practices

On 7/26/22 10:00, Ken Dibble wrote:
> On 7/25/22 09:29, Ken Dibble wrote:
>>
>> This is the first time I have seen this with any package.
>>
>> I have no idea whether it has happened with packages not installed on
>> my systems.
>>
>> It is my understanding that best practice is noexec on /tmp and that
>> this is a Debian recommendation.
>>
>> Here is the relevant line from /etc/fstab.
>>
>> tmpfs   /tmp    tmpfs defaults,noatime,mode=1777,nosuid,noexec,nodev 
>> 0  0
>>
>>
>> Here is the error message.
>>
>> sudo apt-get dist-upgrade
>>
>> .
>>
>> .
>>
>> Preconfiguring packages ...
>> Can't exec "/tmp/openvpn.config.NDxHMl": Permission denied at
>> /usr/lib/x86_64-linux-gnu/perl-base/IPC/Open3.pm line 178.
>> open2: exec of /tmp/openvpn.config.NDxHMl configure 2.5.1-3+devuan1
>> failed: Permission denied at /usr/share/perl5/Debconf/ConfModule.pm
>> line 59.
>> .
>>
>> .
>>
>> The (apparent) recommendation from bug report 129289 in 2002 is to set
>>
>> APT::ExtractTemplates::TempDir
>> in apt.conf to some directory which is mounted with exec
>>
>> and
>> As of version 0.5.8, apt supports TMPDIR for determining where
>> apt-extracttemplates puts its temporary files. If you have a noexec
>> /tmp, use this or other documented means to make apt-extracttemplates
>> use a directory that does accept executables
>>
>> As of 2018 Bug #887099, merged with sundry other bug reports of the same type
>> Control: reassign -1 debconf 1.5.61
>> Control: forcemerge 566247 -1
>> This appears to be a generic issue in debconf, so I'm reassigning it to
>> debconf and merging it with the existing bugs tracking the same issue.
>>
>> There doesn't seem to be any activity after that.
>>
>> Is there a best practice for the method of selecting and setting this
>> directory?
>>
>> Thanks,
>>
>> Ken
>>
>
> Replying to my own message:
>
> It appears that this problem with debconf has been around for 2
> decades and
>
> the maintainers are at odds with the debian position about "/tmp" and
> noexec.
>
>
> That being said I am going with
>
> echo "APT::ExtractTemplates::TempDir \"/var/tmp\";"
> >/etc/apt/apt.conf.d/50extracttemplates
>
> unless someone has a better idea or a reason not to.
>
> I am aware that Debian does not by default clean up /var/tmp and it
> will be my responsibility to
>
> check it for things left around.
>

This would just make /var/tmp the target for attacks instead of /tmp  if
you protect /tmp with noexec, you should do the same with /var/tmp.

I think you could use any root writable dir, I don't see why it would
need to be writable by all users, if apt* is running as root.

If you think it's simpler, you can create a file, say
/etc/apt/apt.conf.d/99-remounttmp.conf  with this:


DPkg {
    // Auto re-mounting of a exec-only /tmp
    Pre-Invoke { "mount -o remount,exec /tmp"; };
    Post-Invoke { "test ${NO_APT_REMOUNT:-no} = yes || mount -o
remount,noexec /tmp || true"; };
};

I don't remember where I found this, but have used it for a while.


> Thanks,
>
> Ken
>
>
> _______________________________________________
> Dng mailing list
> Dng@???
> https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng


--
Hector Gonzalez
cacho@???