On Tue, 23 Oct 2001, Karsten M. Self wrote: > on Tue, Oct 23, 2001 at 02:37:23PM +1000, Andrew Pollock ([EMAIL PROTECTED]) > wrote: > > Hi, > > > > I've got /tmp mounted rw,noexec,nosuid,nodev because I think I read > > somewhere > > that that was a good way to go security-wise. > > It is, but... > > > It seems that some package related configuration stuff writes > > temporary scripts into /tmp, which then don't run because /tmp's > > mounted noexec > > ...it creates problems. > > Incidentally, what package is doing this? I'd been asked this onece > after sugesting 'noexec' and wasn't aware of specific executables. I've > also found that the PCMCIA cardmgr wants to put a device file on /tmp, > and had to modify the init.d script for it to do a remount.
This particular occasion was the faqomatic package, I was upgrading to the version in unstable. I'm not sure whether it's a debconf thing or a Perl thing. I'm still learning the internals of packages, and the scripts internal to the package don't make a lot of sense to me at the moment. > > Should perhaps such scripts be placed elsewhere? /var/tmp? Is mounting > > /tmp noexec a bit pointless? > > If you *do* specify a "TEMP=/var/tmp", most (but not all) applications > will respect it (though not necessarially in the morning). > > Note that *any* mount option is going to be relatively easy to change > with the -remount option -- this can be done without umounting the > partition. I'd prolly aquiesce and mount /tmp executable, seeing as > there are several pretty trivial ways of getting around this exclusion, > so it is somewhat pointless. Yeah, I think I'll do that. Andrew
