public inbox for [email protected]
help / color / mirror / Atom feedFrom: Don Seiler <[email protected]>
To: [email protected]
Subject: Errors installing/updating postgresql when /tmp has noexec
Date: Tue, 8 Apr 2025 12:21:05 -0500
Message-ID: <CAHJZqBAf3us8t3AwbjqfXvCYz-BZztYy0CLR5-00sfPD904z5A@mail.gmail.com> (raw)
After some recent system hardening, I'm now getting these errors when
running apt to update our PGDG postgresql packages. In this case we are
running postgresql-15 on Ubuntu 22.04 LTS.
Preconfiguring packages ...
Can't exec "/tmp/postgresql-15.config.rOsJHJ": Permission denied at
/usr/lib/x86_64-linux-gnu/perl-base/IPC/Open3.pm line 178. open2: exec of
/tmp/postgresql-15.config.rOsJHJ configure 15.8-1.pgdg22.04+1 failed:
Permission denied at /usr/share/perl5/Debconf/ConfModule.pm line 59.
This doesn't cause the install the fail though, and postgresql gets updated
to 15.12 and starts up just fine. It's not clear to me if there is now some
danger/flaw in my installation or if this is something that can be ignored.
It doesn't appear that I can just set an environment variable like TMP,
TEMP, TEMPDIR etc to change this. I see that it can be changed via an apt
config change[1].
However, I'm wondering if this is something that's better changed in the
packaging. Setting noexec on /tmp (and /var) is a standard CIS/DISA
security requirement now.
1.
https://askubuntu.com/questions/1452390/install-packages-on-systems-with-secured-tmp-and-var-noexec
--
Don Seiler
www.seiler.us
view thread (3+ messages) latest in thread
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected]
Subject: Re: Errors installing/updating postgresql when /tmp has noexec
In-Reply-To: <CAHJZqBAf3us8t3AwbjqfXvCYz-BZztYy0CLR5-00sfPD904z5A@mail.gmail.com>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox