When /tmp is mounted noexec, preconfigure fails

Bug #90085 reported by Ace Suares on 2007-03-06
112
This bug affects 16 people
Affects Status Importance Assigned to Milestone
debconf (Debian)
Confirmed
Unknown
debconf (Ubuntu)
Wishlist
Unassigned

Bug Description

Binary package hint: mysql-server

/tmp mounted noexec, this ensues:

Preconfiguring packages ...
Can't exec "/tmp/mysql-server-5.0.config.89611": Permission denied at /usr/share/perl/5.8/IPC/Open3.pm line 168.
open2: exec of /tmp/mysql-server-5.0.config.89611 configure failed at /usr/share/perl5/Debconf/ConfModule.pm line 57
mysql-server-5.0 failed to preconfigure, with exit status 2

ace

 > I't like to have a possibility to define temporary directory for
 > installing packages, at least for running install/rm scripts.

 > The best way for that imho would be an option to dpkg (--tmpdir ?).

I'm not sure what you want a temporary directory for, postinst scripts
can use tmpdir(1), or you might be looking for --root?

Please give us feedback so we can get an understanding of what you are
trying to accomplish.

- tfheen

On 12.05 22:20, Tollef Fog Heen wrote:
+> > I't like to have a possibility to define temporary directory for
> > installing packages, at least for running install/rm scripts.
>
> > The best way for that imho would be an option to dpkg (--tmpdir ?).
>
> I'm not sure what you want a temporary directory for, postinst scripts
> can use tmpdir(1), or you might be looking for --root?
>
> Please give us feedback so we can get an understanding of what you are
> trying to accomplish.

my problem is, I (want to) have /tmp mounted with noexec option, because of
security reasons.

dpkg extracts preconfigure scripts into /tmp. in such case I get these
errors:

Preconfiguring packages ...
Can't exec "/tmp/config.48531": Permission denied at
/usr/share/perl/5.6.1/IPC/Open3.pm line 159.
open2: exec of /tmp/config.48531 configure failed at
/usr/share/perl5/Debconf/ConfModule.pm line 44
xinetd failed to preconfigure, with exit status 255

So I'd invite configuration option which would extract those scripts into
a directory where exec is allowed.
--
Matus UHLAR - fantomas, <email address hidden> ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
M$ Win's are shit, do not use it !

# Automatically generated email from bts, devscripts version 2.9.7
 # preconfiguration is handled by dpkg-preconfigure which is part of debconf...
reassign 223683 debconf

# Automatically generated email from bts, devscripts version 2.9.8
merge 223683 272430
retitle 223683 useless noexec option broken further by debconf

# Automatically generated email from bts, devscripts version 2.9.15
merge 358820 272430

Ace Suares (acesuares) wrote :

Binary package hint: mysql-server

/tmp mounted noexec, this ensues:

Preconfiguring packages ...
Can't exec "/tmp/mysql-server-5.0.config.89611": Permission denied at /usr/share/perl/5.8/IPC/Open3.pm line 168.
open2: exec of /tmp/mysql-server-5.0.config.89611 configure failed at /usr/share/perl5/Debconf/ConfModule.pm line 57
mysql-server-5.0 failed to preconfigure, with exit status 2

ace

Hans (hansomli) wrote :

I'm not an expert, but I'd try adding these two lines to /etc/apt/apt.conf:
   DPkg::Pre-Invoke {"mount -o remount,exec /tmp";};
   DPkg::Post-Invoke {"mount -o remount /tmp";};

This should remount /tmp as exec long enough for preconfigure packages with apt, then remount again as noexec after finished installing.

Alternately, I believe something like this would work as well in case you'd prefer to avoid remounting.
   APT::ExtractTemplates::TempDir "/var/tmp";

(In this case, /var/tmp would have to be mounted as exec though.)

Mathias Gug (mathiaz) wrote :

This has nothing to do with mysql-dfsg-5.0 package. It may be an issue with dpkg.

Ian Jackson (ijackson) wrote :

ConfModule.pm is part of debconf. However, I suspect that the debconf developers will say that running with /tmp noexec is not supported. Ie, Don't Do That Then.

Colin Watson (cjwatson) wrote :

Precisely so: don't do that. It's not like noexec actually buys you any real security, as the system is riddled with workarounds for it (e.g. you can trivially execute a non-executable script in most scripting languages simply by explicitly using the interpreter name).

Changed in debconf:
importance: Undecided → Wishlist
status: New → Triaged
Changed in debconf:
status: Unknown → Confirmed

Package: debconf
Version: 1.5.19

Just a "me, too" note to keep the bug fresh.

Just to make life a little bit more difficult for canned exploits on a
web server, I've tried to eliminate directories where daemon users have
both write and exec ability. In particular, /tmp is mounted noexec.

That, however, makes preconfiguring packages unhappy:

Preconfiguring packages ...
Can't exec "/tmp/libc6.config.32281": Permission denied at /usr/share/perl/5.8/IPC/Open3.pm line 168.
open2: exec of /tmp/libc6.config.32281 configure 2.7-6 failed at /usr/share/perl5/Debconf/ConfModule.pm line 59
libc6 failed to preconfigure, with exit status 9
Can't exec "/tmp/libssl0.9.8.config.32283": Permission denied at /usr/share/perl/5.8/IPC/Open3.pm line 168.
open2: exec of /tmp/libssl0.9.8.config.32283 configure 0.9.8g-4 failed at /usr/share/perl5/Debconf/ConfModule.pm line 59
libssl0.9.8 failed to preconfigure, with exit status 9
Can't exec "/tmp/tasksel.config.32285": Permission denied at /usr/share/perl/5.8/IPC/Open3.pm line 168.
open2: exec of /tmp/tasksel.config.32285 configure 2.71 failed at /usr/share/perl5/Debconf/ConfModule.pm line 59
tasksel failed to preconfigure, with exit status 9
Can't exec "/tmp/locales.config.32287": Permission denied at /usr/share/perl/5.8/IPC/Open3.pm line 168.
open2: exec of /tmp/locales.config.32287 configure 2.7-7 failed at /usr/share/perl5/Debconf/ConfModule.pm line 59
locales failed to preconfigure, with exit status 9
Can't exec "/tmp/openssh-server.config.32289": Permission denied at /usr/share/perl/5.8/IPC/Open3.pm line 168.
open2: exec of /tmp/openssh-server.config.32289 configure 1:4.7p1-3 failed at /usr/share/perl5/Debconf/ConfModule.pm line 59
openssh-server failed to preconfigure, with exit status 9
Can't exec "/tmp/ca-certificates.config.322811": Permission denied at /usr/share/perl/5.8/IPC/Open3.pm line 168.
open2: exec of /tmp/ca-certificates.config.322811 configure 20070303 failed at /usr/share/perl5/Debconf/ConfModule.pm line 59
ca-certificates failed to preconfigure, with exit status 9
Can't exec "/tmp/hddtemp.config.32591": Permission denied at /usr/share/perl/5.8/IPC/Open3.pm line 168.
open2: exec of /tmp/hddtemp.config.32591 configure 0.3-beta15-38 failed at /usr/share/perl5/Debconf/ConfModule.pm line 59
hddtemp failed to preconfigure, with exit status 9

To debconf's credit, it survives and configures later, so it's mostly
just ugly.

Possible solutions:
- Just disable preconfiguration if /tmp is noexec
  (Downside: preconfiguration reduces server down-time when upgrading services.)
- Use a subdirectry of /var/lib/dpkg
  (Downside: need to clean up aborted installs manually.)
- Parse #! line manually
  (Downside: the famous security race condition.)

reassign 481295 debconf
forcemerge 223683 481295
thanks

On Thu, May 15, 2008 at 08:05:44AM +0200, Meinhard Schneider wrote:
> Package: openssh-server
> Version: 1:4.3p2-9etch1
> Severity: important
>
> Just updated openssh-* and got this message:
> [...]
> Preconfiguring packages ...
> Can't exec "/tmp/openssh-server.config.35001": Permission denied at /usr/share/perl/5.8/IPC/Open3.pm line 168.
> open2: exec of /tmp/openssh-server.config.35001 configure 1:4.3p2-9 failed at /usr/share/perl5/Debconf/ConfModule.pm line 58
> openssh-server failed to preconfigure, with exit status 9
> [...]

This is a well-known and long-standing behaviour of debconf, and not
anything that openssh itself is doing specially. Note that the noexec
option is fairly useless for security purposes (except to slow people
down a little bit) as you could in principle just run the script
manually through an appropriate interpreter.

> I believe it is legal to mount /tmp without binary exec support for
> security improvement. Executing scripts from /tmp is IMHO a very bad
> idea.

If you want to do this, you need to remount it exec while installing
Debian packages.

Cheers,

--
Colin Watson [<email address hidden>]

Martino Dell'Ambrogio (tillo) wrote :

Please let the user decide if using a /tmp noexec mount point is more secure or not.
I think it is, for many reasons, and I'm a security analyst. Of course it can bring a false sense of security, like everything else, but do we give up firewalls, IDS and even passwords for the same reason? No security system is flawless -- but more security systems can increase the security anyway.

We could discuss that for weeks, but I think that debconf should at least read the TEMP or TEMPDIR environment variable and always use that directory for temporary files, no matter the reason.

If there already is a way to make debconf use another directory instead of /tmp, please let me know and close this bug report accordingly.

Seconded. I've seen and been annoyed by the horkage. Ogres, onions, and security all have layers.

forcemerge 223683 522882 319023

I have the same problem.

Can't exec "/tmp/sun-java5-jre.config.100721": Permission denied at
/usr/share/perl/5.10/IPC/Open3.pm line 168.
open2: exec of /tmp/sun-java5-jre.config.100721 configure failed at
/usr/share/perl5/Debconf/ConfModule.pm line 59
sun-java5-jre failed to preconfigure, with exit status 255

Can't exec "/tmp/sun-java5-bin.config.100723": Permission denied at
/usr/share/perl/5.10/IPC/Open3.pm line 168.
open2: exec of /tmp/sun-java5-bin.config.100723 configure failed at
/usr/share/perl5/Debconf/ConfModule.pm line 59
sun-java5-bin failed to preconfigure, with exit status 255

I also have /tmp with noexec:
tmpfs on /tmp type tmpfs (rw,noexec,nosuid)

# Automatically generated email from bts, devscripts version 2.10.35lenny7
severity 566247 normal
merge 223683 566247

Mike (mike-fdb) wrote :

What exactly ConfModule.pm do on "preconfigure" stage and why running from /tmp is necessary?

In shared hosting environments, even root may not have control over mount points, so "Don't do that" and "noexec is useless" are not useful replies.

  APT::ExtractTemplates::TempDir "/var/tmp";

Is useful, however. Thank you, Hans. (In my case, /var/tmp is also noexec, but I can set it to something else completely.)

> Please let the user decide if using a /tmp noexec mount point is more secure or not.

That doesn't even make sense. It's a fact that mounting /tmp with "noexec" doesn't give you any extra security simply because you can simply circumvent it by invoking the executable with the help of the dynamic Linux loader.

Anyone who wants to run an exploit can just run "lib64/ld-linux-x86-64.so.2 /tmp/bla" instead of just "/tmp/bla" and it will just work. For scripts, you just invoke them through their interpreter.

Adrian

Martino Dell'Ambrogio (tillo) wrote :

> by invoking the executable with the help of the dynamic Linux loader.

Although you are right, in real world vulnerability exploitation you often don't control much of the environment, sometimes even the way an executable gets executed.

The reason most people mount tmp with noexec is that it is world writable. Thanks to that, even services with explicit reduced rights can leverage the file system when remotely exploiting a vulnerability.

By using noexec (and nodev, nosuid...) you add security. You don't make it impossible to exploit, you make it more difficult.
Why do you think ASLR, DEP and many other protection techniques are still very much in use, while they are constantly circumvented ? Difficulty of exploitation is one of the major points of risk management. With a bit of effort, you grow the resources needed to exploit a vulnerability, which in turn makes it less likely to be exploited.

While comment #19 already stated a valid workaround for this bug, it would really be a good sign if security aware parties would join the discussion... even after 8 years.

robogeek (david-9ei9n) wrote :

I found this discussion / bug thread while looking for a solution to an inability to install packages on a VPS in my Dreamhost account.

Dreamhost has /tmp mounted with noexec and there's some kind of permission preventing me from remounting it to turn off noexec.

I don't know the ins and outs of whether it's a good idea or not to make /tmp noexec, whether it adds more security or not. Fact is that Dreamhost chose to set up their VPS's so /tmp is noexec and to prevent us from changing that setting.

This same configuration choice already tripped me up yesterday while trying to install PECL packages ... and there's a workaround in PECL to configure a different tempdir.

Thankfully the configuration setting in #19 does the trick.

Stefan Tauner (stefanct) wrote :

My workaround uses a dedicated directory for apt that is noexec as well but becomes temporally during installs:

/etc/fstab:

    tmpfs /tmp tmpfs defaults,noatime,nosuid,nodev,noexec,mode=1777,size=512M 0 0
    tmpfs /var/tmp/apt tmpfs defaults,noatime,nosuid,nodev,noexec,mode=1777,size=512M 0 0

/etc/apt/apt.conf.d/71tmpapt (or whatever):

    DPkg
    {
       Pre-Invoke { "mount /var/tmp/apt -o remount,exec" };
       Post-Invoke { "mount /var/tmp/apt -o remount,noexec" };
    };

    APT::ExtractTemplates::TempDir "/var/tmp/apt";

Since the mount point must(?) exist for any mount point specified in /etc/fstab I put the apt dir into /var/tmp because its contents are persistent (unlike /tmp's). It's not very throughly tested yet... ymmv.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.