[Debconf-devel] Bug#223683: preconfiguring is unhappy when /tmp is noexec
sacrificial-spam-address at horizon.com
sacrificial-spam-address at horizon.com
Sun Feb 17 23:47:17 UTC 2008
Package: debconf
Version: 1.5.19
Just a "me, too" note to keep the bug fresh.
Just to make life a little bit more difficult for canned exploits on a
web server, I've tried to eliminate directories where daemon users have
both write and exec ability. In particular, /tmp is mounted noexec.
That, however, makes preconfiguring packages unhappy:
Preconfiguring packages ...
Can't exec "/tmp/libc6.config.32281": Permission denied at /usr/share/perl/5.8/IPC/Open3.pm line 168.
open2: exec of /tmp/libc6.config.32281 configure 2.7-6 failed at /usr/share/perl5/Debconf/ConfModule.pm line 59
libc6 failed to preconfigure, with exit status 9
Can't exec "/tmp/libssl0.9.8.config.32283": Permission denied at /usr/share/perl/5.8/IPC/Open3.pm line 168.
open2: exec of /tmp/libssl0.9.8.config.32283 configure 0.9.8g-4 failed at /usr/share/perl5/Debconf/ConfModule.pm line 59
libssl0.9.8 failed to preconfigure, with exit status 9
Can't exec "/tmp/tasksel.config.32285": Permission denied at /usr/share/perl/5.8/IPC/Open3.pm line 168.
open2: exec of /tmp/tasksel.config.32285 configure 2.71 failed at /usr/share/perl5/Debconf/ConfModule.pm line 59
tasksel failed to preconfigure, with exit status 9
Can't exec "/tmp/locales.config.32287": Permission denied at /usr/share/perl/5.8/IPC/Open3.pm line 168.
open2: exec of /tmp/locales.config.32287 configure 2.7-7 failed at /usr/share/perl5/Debconf/ConfModule.pm line 59
locales failed to preconfigure, with exit status 9
Can't exec "/tmp/openssh-server.config.32289": Permission denied at /usr/share/perl/5.8/IPC/Open3.pm line 168.
open2: exec of /tmp/openssh-server.config.32289 configure 1:4.7p1-3 failed at /usr/share/perl5/Debconf/ConfModule.pm line 59
openssh-server failed to preconfigure, with exit status 9
Can't exec "/tmp/ca-certificates.config.322811": Permission denied at /usr/share/perl/5.8/IPC/Open3.pm line 168.
open2: exec of /tmp/ca-certificates.config.322811 configure 20070303 failed at /usr/share/perl5/Debconf/ConfModule.pm line 59
ca-certificates failed to preconfigure, with exit status 9
Can't exec "/tmp/hddtemp.config.32591": Permission denied at /usr/share/perl/5.8/IPC/Open3.pm line 168.
open2: exec of /tmp/hddtemp.config.32591 configure 0.3-beta15-38 failed at /usr/share/perl5/Debconf/ConfModule.pm line 59
hddtemp failed to preconfigure, with exit status 9
To debconf's credit, it survives and configures later, so it's mostly
just ugly.
Possible solutions:
- Just disable preconfiguration if /tmp is noexec
(Downside: preconfiguration reduces server down-time when upgrading services.)
- Use a subdirectry of /var/lib/dpkg
(Downside: need to clean up aborted installs manually.)
- Parse #! line manually
(Downside: the famous security race condition.)
More information about the Debconf-devel
mailing list