On 7/26/22 14:17, Hector Gonzalez Jaime via Dng wrote:
>
> On 7/26/22 10:00, Ken Dibble wrote:
>> On 7/25/22 09:29, Ken Dibble wrote:
>>>
>>> This is the first time I have seen this with any package.
>>>
>>> I have no idea whether it has happened with packages not installed
>>> on my systems.
>>>
>>> It is my understanding that best practice is noexec on /tmp and that
>>> this is a Debian recommendation.
>>>
>>> Here is the relevant line from /etc/fstab.
>>>
>>> tmpfs   /tmp    tmpfs
>>> defaults,noatime,mode=1777,nosuid,noexec,nodev  0  0
>>>
>>>
>>> Here is the error message.
>>>
>>> sudo apt-get dist-upgrade
>>>
>>> .
>>>
>>> .
>>>
>>> Preconfiguring packages ...
>>> Can't exec "/tmp/openvpn.config.NDxHMl": Permission denied at
>>> /usr/lib/x86_64-linux-gnu/perl-base/IPC/Open3.pm line 178.
>>> open2: exec of /tmp/openvpn.config.NDxHMl configure 2.5.1-3+devuan1
>>> failed: Permission denied at /usr/share/perl5/Debconf/ConfModule.pm
>>> line 59.
>>> .
>>>
>>> .
>>>
>>> The (apparent) recommendation from bug report 129289 in 2002 is to set
>>>
>>> APT::ExtractTemplates::TempDir
>>> in apt.conf to some directory which is mounted with exec
>>>
>>> and
>>> As of version 0.5.8, apt supports TMPDIR for determining where
>>> apt-extracttemplates puts its temporary files. If you have a noexec
>>> /tmp, use this or other documented means to make apt-extracttemplates
>>> use a directory that does accept executables
>>>
>>> As of 2018 Bug #887099, merged with sundry other bug reports of the
>>> same type
>>> Control: reassign -1 debconf 1.5.61
>>> Control: forcemerge 566247 -1
>>> This appears to be a generic issue in debconf, so I'm reassigning it to
>>> debconf and merging it with the existing bugs tracking the same issue.
>>>
>>> There doesn't seem to be any activity after that.
>>>
>>> Is there a best practice for the method of selecting and setting
>>> this directory?
>>>
>>> Thanks,
>>>
>>> Ken
>>>
>>
>> Replying to my own message:
>>
>> It appears that this problem with debconf has been around for 2
>> decades and
>>
>> the maintainers are at odds with the debian position about "/tmp" and
>> noexec.
>>
>>
>> That being said I am going with
>>
>> echo "APT::ExtractTemplates::TempDir \"/var/tmp\";"
>> >/etc/apt/apt.conf.d/50extracttemplates
>>
>> unless someone has a better idea or a reason not to.
>>
>> I am aware that Debian does not by default clean up /var/tmp and it
>> will be my responsibility to
>>
>> check it for things left around.
>>
> This would just make /var/tmp the target for attacks instead of /tmp 
> if you protect /tmp with noexec, you should do the same with /var/tmp.
>
> I think you could use any root writable dir, I don't see why it would
> need to be writable by all users, if apt* is running as root.
>
> If you think it's simpler, you can create a file, say
> /etc/apt/apt.conf.d/99-remounttmp.conf  with this:
>
>
> DPkg {
>     // Auto re-mounting of a exec-only /tmp
>     Pre-Invoke { "mount -o remount,exec /tmp"; };
>     Post-Invoke { "test ${NO_APT_REMOUNT:-no} = yes || mount -o
> remount,noexec /tmp || true"; };
> };
>
> I don't remember where I found this, but have used it for a while.


Thank you very much.  Here is the source for that:
https://wiki.debian.org/ReadonlyRoot

I looked forever in the wrong places using debconf as  search criteria
since that is

where the issue is (IMO).   There are some clues in the apt.conf
manpage, but no index

of allowable directives.

There appears to be an index of allowable directives at
https://github.com/szaydel/Rigel-Major/blob/master/config-files/apt.conf

Like most things you have to know where and how to ask.

The directives are also available with: apt-config dump.

The manpage for apt-config is less than helpful in this instance.

For dump it says: Just show the contents of the configuration space.
which is helpful if you know that the directives are in the contents of
the configuration space,

otherwise, not so much.


I guess that leaves me to create a new partition on each machine to use
as /var/tmp.


Thank you again.

Ken