Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1u2CdX-00EcLY-Tq for pgsql-pkg-debian@arkaria.postgresql.org; Tue, 08 Apr 2025 17:21:24 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1u2CdV-00Crlp-CM for pgsql-pkg-debian@arkaria.postgresql.org; Tue, 08 Apr 2025 17:21:21 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1u2CdV-00Crka-21 for pgsql-pkg-debian@lists.postgresql.org; Tue, 08 Apr 2025 17:21:21 +0000 Received: from mail-ej1-x636.google.com ([2a00:1450:4864:20::636]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.96) (envelope-from ) id 1u2CdT-003iaJ-0I for pgsql-pkg-debian@postgresql.org; Tue, 08 Apr 2025 17:21:20 +0000 Received: by mail-ej1-x636.google.com with SMTP id a640c23a62f3a-ac25d2b2354so1070103566b.1 for ; Tue, 08 Apr 2025 10:21:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=seiler-us.20230601.gappssmtp.com; s=20230601; t=1744132877; x=1744737677; darn=postgresql.org; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=gqotpMT14yIKwvnWVzUmBlGozuiAJi0GP84fjcRil3Y=; b=AqVhuqKPAmgVpzul5StDkJYuE9ERtw3cj/w7HVMBKZwNdoRnuBK/nY3zp+KCD06QMh XHTt9ikvFzFo6KCOheguZYKUoBrBYE/jMk2i/1ecKiPqGCrAQp9wXlUMAGqoweB4nz0s fC4+9OT27ZSWGKuKexxOWnY0926bGdwHorbvnv1ksZJ/CHIspKrt33QJESYLhsxer++f XtiTTosV3MGBEimeu5JzHckVJ6iGAXVxABZ6rG2V88MPipNDEZHHdvHOdonW+/sOavvb fcdE45mQOiXwbkog09U1m6HLNn2Yl/s9i+KGPD8NyUMp5ULY56K3aKifxeWRfctpV6gd 3yTQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1744132877; x=1744737677; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=gqotpMT14yIKwvnWVzUmBlGozuiAJi0GP84fjcRil3Y=; b=uaICH5ojFFL2UEch5iIrH4FOJ2Y4vb4mchxrbG4L744ikY2p3GHxfdU3EeTmTiWyqL yPivj8kNZlQ5tD22bK5nU2L+a5heioE9qYvCxRlfJqLcvwsqcbHqwzmRLdM/8gguzjKy dTeTXzZaL26ulNsUhS9CrCehJ3M2tR2f/218HaUrFfe+FPP/JFIP3w2gYwFb0B76n00k R3Xc4I86fQXP6qyiJ5HIp6QcXnoUwpAV5Zv3+XEo94SqDNaDAbQuI6s5tGxhOiDjZPw4 0zDoIhGaq2m65V8eWpy2tWab+UofliQTtdqO0r5YxUJWFMsA8HRfALSUKgtNbLdCFXao TicQ== X-Gm-Message-State: AOJu0YyVkWUsndPrm0Kp8FiCD2L35GECbfL3f1pLNPw90DG4pXrtgqDk bjsSpXx6xduEsqbr8lvaD1UPj8u/kG596gvX9u8WfahYWgCBy2/G3ZCrSXrYlBZ4gFCNy8KXHG2 50vHUoPTgyiO1r5Aye53uxXDW7ghoR1QIfe8uOM5qtLp7Jv5BHRf62w== X-Gm-Gg: ASbGncumbMqpXozISh5FcScwpgJfiAUgG93jgWdMX7CqagyVEmuP6J1dZf3qybCPVdC KAnpB0kGWikGXYU+3nSv7w9h1nFFIKI0CxBGRinujjeLa8KfFdPZsR1KIhCDu8ewmnao20RYvuC 0fg498MgjVWOvNd6SvXMjJPV7sdoqhYOS2omG72Xade6zTlyGpId2/kTJLdNE= X-Google-Smtp-Source: AGHT+IG748EnRJzWbquAq+kGyGCVO5ZXHGQf0kU5JefTwIroBnCjJaJ5FnbRtOE9R14buIjhAv8JCH2G2zkpetgCzBI= X-Received: by 2002:a17:907:c16:b0:abf:4b6e:e107 with SMTP id a640c23a62f3a-aca9b695a99mr4966266b.25.1744132876708; Tue, 08 Apr 2025 10:21:16 -0700 (PDT) MIME-Version: 1.0 From: Don Seiler Date: Tue, 8 Apr 2025 12:21:05 -0500 X-Gm-Features: ATxdqUH-0kJ6Ui20JPZ8xI57ChkFs2TuTEfCMXk_t1oL-Gem04ea1HtIQ5OSxaY Message-ID: Subject: Errors installing/updating postgresql when /tmp has noexec To: pgsql-pkg-debian@postgresql.org Content-Type: multipart/alternative; boundary="0000000000008ed8c506324794c9" List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk --0000000000008ed8c506324794c9 Content-Type: text/plain; charset="UTF-8" After some recent system hardening, I'm now getting these errors when running apt to update our PGDG postgresql packages. In this case we are running postgresql-15 on Ubuntu 22.04 LTS. Preconfiguring packages ... Can't exec "/tmp/postgresql-15.config.rOsJHJ": Permission denied at /usr/lib/x86_64-linux-gnu/perl-base/IPC/Open3.pm line 178. open2: exec of /tmp/postgresql-15.config.rOsJHJ configure 15.8-1.pgdg22.04+1 failed: Permission denied at /usr/share/perl5/Debconf/ConfModule.pm line 59. This doesn't cause the install the fail though, and postgresql gets updated to 15.12 and starts up just fine. It's not clear to me if there is now some danger/flaw in my installation or if this is something that can be ignored. It doesn't appear that I can just set an environment variable like TMP, TEMP, TEMPDIR etc to change this. I see that it can be changed via an apt config change[1]. However, I'm wondering if this is something that's better changed in the packaging. Setting noexec on /tmp (and /var) is a standard CIS/DISA security requirement now. 1. https://askubuntu.com/questions/1452390/install-packages-on-systems-with-secured-tmp-and-var-noexec -- Don Seiler www.seiler.us --0000000000008ed8c506324794c9 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
After some recent system hardening, I'm now getti= ng these errors when running apt to update our PGDG postgresql packages. In= this case we are running postgresql-15 on Ubuntu 22.04 LTS.

=
Preconfiguring packages ...
Can't exec "/tmp/postgresql-1= 5.config.rOsJHJ": Permission denied at /usr/lib/x86_64-linux-gnu/perl-= base/IPC/Open3.pm line 178. open2: exec of /tmp/postgresql-15.config.rOsJHJ= configure 15.8-1.pgdg22.04+1 failed: Permission denied at /usr/share/perl5= /Debconf/ConfModule.pm line 59.

This doesn't cause t= he install the fail though, and postgresql gets updated to 15.12 and starts= up just fine. It's not clear to me if there is now some danger/flaw in= my installation or if this is something that can be ignored.
It doesn't appear that I can just set an environment variab= le like TMP, TEMP, TEMPDIR etc to change this. I see that it can be changed= via an apt config change[1].

However, I'm won= dering if this is something that's better changed in the packaging. Set= ting noexec on /tmp (and /var) is a standard CIS/DISA security requirement = now.


--
Don Seiler
www.seiler.us
--0000000000008ed8c506324794c9--