If /var/tmp is mounted with noexec the scripts skip the copy of some files

Bug #1791241 reported by StarAurryon
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
cryptsetup (Ubuntu)
Triaged
Wishlist
Unassigned

Bug Description

Hello,

Hardening guides (Securing Debian, CIS, etc...) advise to mount /dev/tmp with the noexec option. Initramfs hooks are using the /usr/bin/test utility to check if a file is executable to manage dependencies (if [! -x /myfile]; then) and copy new files. Therefore, if /dev/tmp is mounted with noexec, the test utility return false instead of true which breaks the logic.

How should we handle this case? Is ubuntu officially supporting hardening (I think so as Debian is doing it)?

Regards,

Aurryon

Revision history for this message
Steve Langasek (vorlon) wrote :

It is reasonable to request that these hooks use -e instead of -x for maximum compatibility. However:

> Is ubuntu officially supporting hardening (I think so as Debian is doing it)?

No. The existence of third-party "hardening" guides does not translate to Ubuntu supporting this configuration. dpkg itself relies *extensively* on the ability to execute scripts from /tmp, as described at <https://askubuntu.com/questions/574259/will-mounting-tmp-with-noexec-and-nosuid-cause-problems>.

You mention the Securing Debian HOWTO, which does not say that this is recommended or mandatory for securing a system, and specifically calls out problems with noexec /tmp and the package manager.
 https://www.debian.org/doc/manuals/securing-debian-howto/ch4.en.html#s4.10 (The linked bug is closed with a recommended workaround. If you were using that workaround, you would not be having problems with cryptsetup's hooks, since initramfs-tools also respects TMPDIR.)

And these hooks come from Debian as-is. So this is no more supported by the cryptsetup package in Debian than it is in Ubuntu.

Changed in cryptsetup (Ubuntu):
importance: Undecided → Wishlist
status: New → Triaged
Revision history for this message
StarAurryon (staraurryon) wrote :

I now understand you viewpoint. Thanks a lot.

After some research, I found that setting the environment variable TMPDIR to /tmp did the job for me (the variable is not set with su or sudo when requesting root privileges):

- In my case, I was following the CIS guide that advises to put only nosuid,nodev to /tmp. Therefore apt/dpkg worked fine as /tmp is executable. This choice in fstab seemed good to me as /tmp is cleaned up at each reboot/shutdown by systemd-tmpfiles-setup.service. For /var/tmp, nosuid,nodev,noexec seemed also a good option to me as malware can use this file system for persistence across all users and the folder is never cleaned up.

- I noticed that mkinitramfs (in man pages) was defaulting to /var/tmp when TMPDIR was not set. According to Ubuntu man this changed from /tmp to /var/tmp between 14.04 and 16.04. The man also said it required an executable filesystem (mea culpa). So I will check the debian mailing list to understand this change in a better way.

This message was just to explain you why I posted this bug report in launchpad.net.
Anyway, have a nice day and keep building a nice distro,

Regards,

Aurryon

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.