If /var/tmp is mounted with noexec the scripts skip the copy of some files
Bug #1791241 reported by
StarAurryon
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
cryptsetup (Ubuntu) |
Triaged
|
Wishlist
|
Unassigned |
Bug Description
Hello,
Hardening guides (Securing Debian, CIS, etc...) advise to mount /dev/tmp with the noexec option. Initramfs hooks are using the /usr/bin/test utility to check if a file is executable to manage dependencies (if [! -x /myfile]; then) and copy new files. Therefore, if /dev/tmp is mounted with noexec, the test utility return false instead of true which breaks the logic.
How should we handle this case? Is ubuntu officially supporting hardening (I think so as Debian is doing it)?
Regards,
Aurryon
To post a comment you must log in.
It is reasonable to request that these hooks use -e instead of -x for maximum compatibility. However:
> Is ubuntu officially supporting hardening (I think so as Debian is doing it)?
No. The existence of third-party "hardening" guides does not translate to Ubuntu supporting this configuration. dpkg itself relies *extensively* on the ability to execute scripts from /tmp, as described at <https:/ /askubuntu. com/questions/ 574259/ will-mounting- tmp-with- noexec- and-nosuid- cause-problems>.
You mention the Securing Debian HOWTO, which does not say that this is recommended or mandatory for securing a system, and specifically calls out problems with noexec /tmp and the package manager. /www.debian. org/doc/ manuals/ securing- debian- howto/ch4. en.html# s4.10 (The linked bug is closed with a recommended workaround. If you were using that workaround, you would not be having problems with cryptsetup's hooks, since initramfs-tools also respects TMPDIR.)
https:/
And these hooks come from Debian as-is. So this is no more supported by the cryptsetup package in Debian than it is in Ubuntu.