Comment 6 for bug 2043711

You are of course quite right that the risk associated with a file created with a "random" six character case-insensitive alphanumeric suffix and run a moment later is far smaller than more obviously risky misuses of /tmp. Nevertheless the issue is not about evaluating the risk of an adversary creating over forty-four milliard files or symlinks per package in /tmp, or if the code checks for the presence of the file before trying to create it (which I trust it does), or just how random the suffix really is, or how many race conditions might exist, or any of the other cases we've seen exploited over the decades, but that this is even a matter to consider in late 2024.

Since you mention it specifically, creating the file with mode 600 will (or certainly should) of course prevent the contents of the file from being overwritten by another user between creation and execution.

I consider it uncontroversial to claim that a standard process for updating software on Ubuntu should not
1) involve creating executables (or files containing code to be executed) directly in /tmp and running them as root, and
2) result in errors when /tmp is mounted noexec, especially when they may indicate unhandled breakage.

I briefly observed more similar errors during an update earlier today, but was not quick enough to capture more details before the Software Updater output window disappeared; however I doubt those details provided any more useful information.