Apt doesn't handle when /tmp is mounted noexec

Bug #544693 reported by Charles Burns
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
apt (Ubuntu)
Invalid
Undecided
Unassigned

Bug Description

Mounting /tmp noexec is a somewhat common practice for security reasons. Many script kiddies will paste code they found into /tmp somehow, compile it, and run it.

Apt doesn't seem to handle this at all, either through checks to see if /tmp is mounted "exec", or through warnings to the user.

Sample output while installing "linux-image-preempt"

/usr/sbin/mkinitramfs: 329: /tmp/mkinitramfs_Ai7L1U/scripts/init-bottom/udev: Permission denied
/usr/sbin/mkinitramfs: 329: /tmp/mkinitramfs_Ai7L1U/scripts/init-top/all_generic_ide: Permission denied
/usr/sbin/mkinitramfs: 329: /tmp/mkinitramfs_Ai7L1U/scripts/init-top/blacklist: Permission denied

Revision history for this message
Gabe Gorelick (gabegorelick) wrote :

This seems to be known behavior. See http://www.debian-administration.org/article/Making_/tmp_non-executable for more info. That link suggest adding

DPkg::Pre-Invoke{"mount -o remount,exec /tmp";};
DPkg::Post-Invoke {"mount -o remount /tmp";};

to /etc/apt/apt.conf so that /tmp is temporarily remounted as executable before packages are installed.

affects: ubuntu → apt (Ubuntu)
Changed in apt (Ubuntu):
status: New → Confirmed
Revision history for this message
Julian Andres Klode (juliank) wrote :

Not a bug in APT. APT does not use /tmp, packages installed by APT do it.

Changed in apt (Ubuntu):
status: Confirmed → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.