Comment 23 for bug 90085

Stefan Tauner (stefanct) wrote :

My workaround uses a dedicated directory for apt that is noexec as well but becomes temporally during installs:

/etc/fstab:

    tmpfs /tmp tmpfs defaults,noatime,nosuid,nodev,noexec,mode=1777,size=512M 0 0
    tmpfs /var/tmp/apt tmpfs defaults,noatime,nosuid,nodev,noexec,mode=1777,size=512M 0 0

/etc/apt/apt.conf.d/71tmpapt (or whatever):

    DPkg
    {
       Pre-Invoke { "mount /var/tmp/apt -o remount,exec" };
       Post-Invoke { "mount /var/tmp/apt -o remount,noexec" };
    };

    APT::ExtractTemplates::TempDir "/var/tmp/apt";

Since the mount point must(?) exist for any mount point specified in /etc/fstab I put the apt dir into /var/tmp because its contents are persistent (unlike /tmp's). It's not very throughly tested yet... ymmv.