Debian
debconf package

When /tmp is mounted noexec, preconfigure fails

Bug #90085 reported by Ace Suares
136
This bug affects 21 people
Affects Status Importance Assigned to Milestone
debconf (Debian)
Fix Released
Unknown
debconf (Ubuntu)
Fix Released
Wishlist
Unassigned

Bug Description

Binary package hint: mysql-server

/tmp mounted noexec, this ensues:

Preconfiguring packages ...
Can't exec "/tmp/mysql-server-5.0.config.89611": Permission denied at /usr/share/perl/5.8/IPC/Open3.pm line 168.
open2: exec of /tmp/mysql-server-5.0.config.89611 configure failed at /usr/share/perl5/Debconf/ConfModule.pm line 57
mysql-server-5.0 failed to preconfigure, with exit status 2

ace

See original description
Revision history for this message
In , Tollef Fog Heen (tfheen) wrote :

 > I't like to have a possibility to define temporary directory for
 > installing packages, at least for running install/rm scripts.

 > The best way for that imho would be an option to dpkg (--tmpdir ?).

I'm not sure what you want a temporary directory for, postinst scripts
can use tmpdir(1), or you might be looking for --root?

Please give us feedback so we can get an understanding of what you are
trying to accomplish.

- tfheen

Revision history for this message
In , Matus UHLAR - fantomas (uhlar) wrote : Re: Bug#223683: define temporary directory install/rm scripts

On 12.05 22:20, Tollef Fog Heen wrote:
+> > I't like to have a possibility to define temporary directory for
> > installing packages, at least for running install/rm scripts.
>
> > The best way for that imho would be an option to dpkg (--tmpdir ?).
>
> I'm not sure what you want a temporary directory for, postinst scripts
> can use tmpdir(1), or you might be looking for --root?
>
> Please give us feedback so we can get an understanding of what you are
> trying to accomplish.

my problem is, I (want to) have /tmp mounted with noexec option, because of
security reasons.

dpkg extracts preconfigure scripts into /tmp. in such case I get these
errors:

Preconfiguring packages ...
Can't exec "/tmp/config.48531": Permission denied at
/usr/share/perl/5.6.1/IPC/Open3.pm line 159.
open2: exec of /tmp/config.48531 configure failed at
/usr/share/perl5/Debconf/ConfModule.pm line 44
xinetd failed to preconfigure, with exit status 255

So I'd invite configuration option which would extract those scripts into
a directory where exec is allowed.
--
Matus UHLAR - fantomas, <email address hidden> ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
M$ Win's are shit, do not use it !

Revision history for this message
In , Frank Lichtenheld (djpig) wrote : reassign 223683 to debconf

# Automatically generated email from bts, devscripts version 2.9.7
 # preconfiguration is handled by dpkg-preconfigure which is part of debconf...
reassign 223683 debconf

Revision history for this message
In , Joey Hess (joeyh) wrote : merging 223683 272430, retitle 223683 to useless noexec option broken further by debconf

# Automatically generated email from bts, devscripts version 2.9.8
merge 223683 272430
retitle 223683 useless noexec option broken further by debconf

Revision history for this message
In , Joey Hess (joeyh) wrote : merging 358820 272430

# Automatically generated email from bts, devscripts version 2.9.15
merge 358820 272430

Revision history for this message
Ace Suares (acesuares) wrote :

Binary package hint: mysql-server

/tmp mounted noexec, this ensues:

Preconfiguring packages ...
Can't exec "/tmp/mysql-server-5.0.config.89611": Permission denied at /usr/share/perl/5.8/IPC/Open3.pm line 168.
open2: exec of /tmp/mysql-server-5.0.config.89611 configure failed at /usr/share/perl5/Debconf/ConfModule.pm line 57
mysql-server-5.0 failed to preconfigure, with exit status 2

ace

Revision history for this message
Hans (hansomli) wrote :

I'm not an expert, but I'd try adding these two lines to /etc/apt/apt.conf:
   DPkg::Pre-Invoke {"mount -o remount,exec /tmp";};
   DPkg::Post-Invoke {"mount -o remount /tmp";};

This should remount /tmp as exec long enough for preconfigure packages with apt, then remount again as noexec after finished installing.

Alternately, I believe something like this would work as well in case you'd prefer to avoid remounting.
   APT::ExtractTemplates::TempDir "/var/tmp";

(In this case, /var/tmp would have to be mounted as exec though.)

Revision history for this message
Mathias Gug (mathiaz) wrote :

This has nothing to do with mysql-dfsg-5.0 package. It may be an issue with dpkg.

Revision history for this message
Ian Jackson (ijackson) wrote :

ConfModule.pm is part of debconf. However, I suspect that the debconf developers will say that running with /tmp noexec is not supported. Ie, Don't Do That Then.

Revision history for this message
Colin Watson (cjwatson) wrote :

Precisely so: don't do that. It's not like noexec actually buys you any real security, as the system is riddled with workarounds for it (e.g. you can trivially execute a non-executable script in most scripting languages simply by explicitly using the interpreter name).

Changed in debconf:
importance: Undecided → Wishlist
status: New → Triaged
Bug Watch Updater (bug-watch-updater)
Changed in debconf:
status: Unknown → Confirmed
Revision history for this message
In , Sacrificial-spam-address (sacrificial-spam-address) wrote : preconfiguring is unhappy when /tmp is noexec

Package: debconf
Version: 1.5.19

Just a "me, too" note to keep the bug fresh.

Just to make life a little bit more difficult for canned exploits on a
web server, I've tried to eliminate directories where daemon users have
both write and exec ability. In particular, /tmp is mounted noexec.

That, however, makes preconfiguring packages unhappy:

Preconfiguring packages ...
Can't exec "/tmp/libc6.config.32281": Permission denied at /usr/share/perl/5.8/IPC/Open3.pm line 168.
open2: exec of /tmp/libc6.config.32281 configure 2.7-6 failed at /usr/share/perl5/Debconf/ConfModule.pm line 59
libc6 failed to preconfigure, with exit status 9
Can't exec "/tmp/libssl0.9.8.config.32283": Permission denied at /usr/share/perl/5.8/IPC/Open3.pm line 168.
open2: exec of /tmp/libssl0.9.8.config.32283 configure 0.9.8g-4 failed at /usr/share/perl5/Debconf/ConfModule.pm line 59
libssl0.9.8 failed to preconfigure, with exit status 9
Can't exec "/tmp/tasksel.config.32285": Permission denied at /usr/share/perl/5.8/IPC/Open3.pm line 168.
open2: exec of /tmp/tasksel.config.32285 configure 2.71 failed at /usr/share/perl5/Debconf/ConfModule.pm line 59
tasksel failed to preconfigure, with exit status 9
Can't exec "/tmp/locales.config.32287": Permission denied at /usr/share/perl/5.8/IPC/Open3.pm line 168.
open2: exec of /tmp/locales.config.32287 configure 2.7-7 failed at /usr/share/perl5/Debconf/ConfModule.pm line 59
locales failed to preconfigure, with exit status 9
Can't exec "/tmp/openssh-server.config.32289": Permission denied at /usr/share/perl/5.8/IPC/Open3.pm line 168.
open2: exec of /tmp/openssh-server.config.32289 configure 1:4.7p1-3 failed at /usr/share/perl5/Debconf/ConfModule.pm line 59
openssh-server failed to preconfigure, with exit status 9
Can't exec "/tmp/ca-certificates.config.322811": Permission denied at /usr/share/perl/5.8/IPC/Open3.pm line 168.
open2: exec of /tmp/ca-certificates.config.322811 configure 20070303 failed at /usr/share/perl5/Debconf/ConfModule.pm line 59
ca-certificates failed to preconfigure, with exit status 9
Can't exec "/tmp/hddtemp.config.32591": Permission denied at /usr/share/perl/5.8/IPC/Open3.pm line 168.
open2: exec of /tmp/hddtemp.config.32591 configure 0.3-beta15-38 failed at /usr/share/perl5/Debconf/ConfModule.pm line 59
hddtemp failed to preconfigure, with exit status 9

To debconf's credit, it survives and configures later, so it's mostly
just ugly.

Possible solutions:
- Just disable preconfiguration if /tmp is noexec
  (Downside: preconfiguration reduces server down-time when upgrading services.)
- Use a subdirectry of /var/lib/dpkg
  (Downside: need to clean up aborted installs manually.)
- Parse #! line manually
  (Downside: the famous security race condition.)

Revision history for this message
In , Colin Watson (cjwatson) wrote : Re: Bug#481295: Preconfiguring of openssh-servers fails due to mount option "noexec" on /tmp

reassign 481295 debconf
forcemerge 223683 481295
thanks

On Thu, May 15, 2008 at 08:05:44AM +0200, Meinhard Schneider wrote:
> Package: openssh-server
> Version: 1:4.3p2-9etch1
> Severity: important
>
> Just updated openssh-* and got this message:
> [...]
> Preconfiguring packages ...
> Can't exec "/tmp/openssh-server.config.35001": Permission denied at /usr/share/perl/5.8/IPC/Open3.pm line 168.
> open2: exec of /tmp/openssh-server.config.35001 configure 1:4.3p2-9 failed at /usr/share/perl5/Debconf/ConfModule.pm line 58
> openssh-server failed to preconfigure, with exit status 9
> [...]

This is a well-known and long-standing behaviour of debconf, and not
anything that openssh itself is doing specially. Note that the noexec
option is fairly useless for security purposes (except to slow people
down a little bit) as you could in principle just run the script
manually through an appropriate interpreter.

> I believe it is legal to mount /tmp without binary exec support for
> security improvement. Executing scripts from /tmp is IMHO a very bad
> idea.

If you want to do this, you need to remount it exec while installing
Debian packages.

Cheers,

--
Colin Watson [<email address hidden>]

Revision history for this message
Martino Dell'Ambrogio (tillo) wrote :

Please let the user decide if using a /tmp noexec mount point is more secure or not.
I think it is, for many reasons, and I'm a security analyst. Of course it can bring a false sense of security, like everything else, but do we give up firewalls, IDS and even passwords for the same reason? No security system is flawless -- but more security systems can increase the security anyway.

We could discuss that for weeks, but I think that debconf should at least read the TEMP or TEMPDIR environment variable and always use that directory for temporary files, no matter the reason.

If there already is a way to make debconf use another directory instead of /tmp, please let me know and close this bug report accordingly.

Revision history for this message
GiuseppeVerde (launchpad-digitasaru) wrote :

Seconded. I've seen and been annoyed by the horkage. Ogres, onions, and security all have layers.

Revision history for this message
In , Joey Hess (joeyh) wrote : forcibly merging 223683 522882 319023

forcemerge 223683 522882 319023

Revision history for this message
In , Wesley Schwengle (wesleys) wrote : Re: define temporary directory install/rm scripts

I have the same problem.

Can't exec "/tmp/sun-java5-jre.config.100721": Permission denied at
/usr/share/perl/5.10/IPC/Open3.pm line 168.
open2: exec of /tmp/sun-java5-jre.config.100721 configure failed at
/usr/share/perl5/Debconf/ConfModule.pm line 59
sun-java5-jre failed to preconfigure, with exit status 255

Can't exec "/tmp/sun-java5-bin.config.100723": Permission denied at
/usr/share/perl/5.10/IPC/Open3.pm line 168.
open2: exec of /tmp/sun-java5-bin.config.100723 configure failed at
/usr/share/perl5/Debconf/ConfModule.pm line 59
sun-java5-bin failed to preconfigure, with exit status 255

I also have /tmp with noexec:
tmpfs on /tmp type tmpfs (rw,noexec,nosuid)

Revision history for this message
In , Colin Watson (cjwatson) wrote : severity of 566247 is normal, merging 223683 566247

# Automatically generated email from bts, devscripts version 2.10.35lenny7
severity 566247 normal
merge 223683 566247

Revision history for this message
Mike (mike-fdb) wrote :

What exactly ConfModule.pm do on "preconfigure" stage and why running from /tmp is necessary?

Revision history for this message
Brian Gernhardt (benji-silverinsanity) wrote :

In shared hosting environments, even root may not have control over mount points, so "Don't do that" and "noexec is useless" are not useful replies.

  APT::ExtractTemplates::TempDir "/var/tmp";

Is useful, however. Thank you, Hans. (In my case, /var/tmp is also noexec, but I can set it to something else completely.)

Revision history for this message
John Paul Adrian Glaubitz (glaubitz) wrote :

> Please let the user decide if using a /tmp noexec mount point is more secure or not.

That doesn't even make sense. It's a fact that mounting /tmp with "noexec" doesn't give you any extra security simply because you can simply circumvent it by invoking the executable with the help of the dynamic Linux loader.

Anyone who wants to run an exploit can just run "lib64/ld-linux-x86-64.so.2 /tmp/bla" instead of just "/tmp/bla" and it will just work. For scripts, you just invoke them through their interpreter.

Adrian

Revision history for this message
Martino Dell'Ambrogio (tillo) wrote :

> by invoking the executable with the help of the dynamic Linux loader.

Although you are right, in real world vulnerability exploitation you often don't control much of the environment, sometimes even the way an executable gets executed.

The reason most people mount tmp with noexec is that it is world writable. Thanks to that, even services with explicit reduced rights can leverage the file system when remotely exploiting a vulnerability.

By using noexec (and nodev, nosuid...) you add security. You don't make it impossible to exploit, you make it more difficult.
Why do you think ASLR, DEP and many other protection techniques are still very much in use, while they are constantly circumvented ? Difficulty of exploitation is one of the major points of risk management. With a bit of effort, you grow the resources needed to exploit a vulnerability, which in turn makes it less likely to be exploited.

While comment #19 already stated a valid workaround for this bug, it would really be a good sign if security aware parties would join the discussion... even after 8 years.

Revision history for this message
robogeek (david-9ei9n) wrote :

I found this discussion / bug thread while looking for a solution to an inability to install packages on a VPS in my Dreamhost account.

Dreamhost has /tmp mounted with noexec and there's some kind of permission preventing me from remounting it to turn off noexec.

I don't know the ins and outs of whether it's a good idea or not to make /tmp noexec, whether it adds more security or not. Fact is that Dreamhost chose to set up their VPS's so /tmp is noexec and to prevent us from changing that setting.

This same configuration choice already tripped me up yesterday while trying to install PECL packages ... and there's a workaround in PECL to configure a different tempdir.

Thankfully the configuration setting in #19 does the trick.

Revision history for this message
Stefan Tauner (stefanct) wrote :

My workaround uses a dedicated directory for apt that is noexec as well but becomes temporally during installs:

/etc/fstab:

    tmpfs /tmp tmpfs defaults,noatime,nosuid,nodev,noexec,mode=1777,size=512M 0 0
    tmpfs /var/tmp/apt tmpfs defaults,noatime,nosuid,nodev,noexec,mode=1777,size=512M 0 0

/etc/apt/apt.conf.d/71tmpapt (or whatever):

    DPkg
    {
       Pre-Invoke { "mount /var/tmp/apt -o remount,exec" };
       Post-Invoke { "mount /var/tmp/apt -o remount,noexec" };
    };

    APT::ExtractTemplates::TempDir "/var/tmp/apt";

Since the mount point must(?) exist for any mount point specified in /etc/fstab I put the apt dir into /var/tmp because its contents are persistent (unlike /tmp's). It's not very throughly tested yet... ymmv.

Revision history for this message
Jeff (jblainemitre) wrote :

On Ubuntu 18.04 with noexec on /tmp running 'apt-get install -y selinux' and then doing a required reboot will give you a non-booting host.

As an aside, the same security guidance (CIS Benchmarks for one) about noexec on /tmp should be applied to /var/tmp, so changing APT::ExtractTemplates::TempDir to "/var/tmp"; isn't really an option here in the long run.

Revision history for this message
Dave Jones (waveform) wrote :

@jblainemitre indeed - but presumably one can pick any directory? I'm assuming there's no particular requirement that the selected dir is world-writeable like /tmp and /var/tmp (or at least there doesn't seem to be in my setup?)

Bug Watch Updater (bug-watch-updater)
Changed in debconf (Debian):
status: Confirmed → Fix Committed
Bug Watch Updater (bug-watch-updater)
Changed in debconf (Debian):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package debconf - 1.5.82

---------------
debconf (1.5.82) unstable; urgency=medium

  * Bump debhelper from old 12 to 13.
  * Don't remove /var/cache/debconf/tmp.ci, to avoid warnings if it's a
    mountpoint (closes: #1028128).

 -- Colin Watson <email address hidden> Sun, 08 Jan 2023 21:50:51 +0000

Changed in debconf (Ubuntu):
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.