Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps  (TLS1.3) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <pgsql-pkg-debian-owner+archive@lists.postgresql.org>)
	id 1u2CvZ-00Ego5-QU
	for pgsql-pkg-debian@arkaria.postgresql.org; Tue, 08 Apr 2025 17:40:01 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.94.2)
	(envelope-from <pgsql-pkg-debian-owner+archive@lists.postgresql.org>)
	id 1u2CvY-00DBln-4S
	for pgsql-pkg-debian@arkaria.postgresql.org; Tue, 08 Apr 2025 17:40:00 +0000
Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29])
	by malur.postgresql.org with esmtps  (TLS1.3) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <don@seiler.us>)
	id 1u2CvX-00DBlg-Ua
	for pgsql-pkg-debian@lists.postgresql.org; Tue, 08 Apr 2025 17:40:00 +0000
Received: from mail-ej1-x629.google.com ([2a00:1450:4864:20::629])
	by magus.postgresql.org with esmtps  (TLS1.3) tls
 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
	(Exim 4.96)
	(envelope-from <don@seiler.us>)
	id 1u2CvV-004BBR-1J
	for pgsql-pkg-debian@postgresql.org;
	Tue, 08 Apr 2025 17:39:59 +0000
Received: by mail-ej1-x629.google.com with SMTP id
 a640c23a62f3a-ac34257295dso1179840566b.2
        for <pgsql-pkg-debian@postgresql.org>;
 Tue, 08 Apr 2025 10:39:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=seiler-us.20230601.gappssmtp.com; s=20230601; t=1744133995;
 x=1744738795; darn=postgresql.org;
        h=to:subject:message-id:date:from:in-reply-to:references:mime-version
         :from:to:cc:subject:date:message-id:reply-to;
        bh=MwEcFrShNZqJuVMyEWimEy/zpOuGUOI/ktFt6oaJHLU=;
        b=FIExUYqGyXjEVkdL7p9VMnp6Ny5CXszXT388StbtH1ov+ZRZ2+CG00eUj2DQPuZe4Y
         tuJMQc/mfL1YDop0k8Eu4VqmdZK2DIX9G03NzW6Om7t4E9Z/CcVd59SGLtNeBxqS4cQu
         8Bnp/agI1Jgv9IHLp4SRzjC1PG3F8mv5cTnhhNo2exnWsPI0utuAH/W7ySrd/Ymp4bce
         86dpI+q4P7zwSWJ8QoBZp7WfDd+nGjwQ27UHGiFrqSuz0w+Y3u3Qw+ocvFqJ3ffyHvU9
         90bg3fCH6KBFz+AUwAWtKit7UDx2wYCGmo+SLzOhrIElrwNOaq4NFAb4xKyxmM+TsRiJ
         6hGw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1744133995; x=1744738795;
        h=to:subject:message-id:date:from:in-reply-to:references:mime-version
         :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
        bh=MwEcFrShNZqJuVMyEWimEy/zpOuGUOI/ktFt6oaJHLU=;
        b=bY6RH53fJ56F5qnzdBU948CEFkNLLbXsnxjRAlslDiplUo4EcYCG95L5Q/7T0uBdt+
         bWgvLQ0BZdiuDT6Oqodet2UD6gKw1sv5Sy0YixuZ60zLYOYdIPYhrwFJIvH5HYnAgq4L
         oaEWZ3gkyxIQPdvi9kq6ZknYWo8eVNkdYkeFvojT32s6kHXDBRHMAXMTYliMuO0who5i
         0Owb2BhS4VZIBPHFZCNkbr5yt3Yv+F/f3u6oNP1Ahls0LE7gYpV0LH+bSlsHknT9WzMG
         ASSgUFXHarjp3C1JoIlz1nk8j1cMyAVEImrQOYtCfqDPLZfiFsOgn9/uAnxiQd0+kmc6
         ycYA==
X-Gm-Message-State: AOJu0YzHAORkqH5fqtLOb4TuuGQL2Aay6kF6ElNSxEm5aO1Fv6RcAU2D
	upnZAjdO91rvF6i2Aa6ZUrmFNBCn8QGHTio1s+uShQqXM09vFl2ByCTobXSFun3Omczg7sflIKv
	W8eYozY5pe/EnvC+dVro93VFZWXSi+NSTibIitPITTvqMMZw6TW/J2w==
X-Gm-Gg: ASbGncsZLBM2VGK0YZrAtQbANErxnxZ9G8zcFoz8GMs4jccBzZYrgf4Y+Zg5yV0MhFx
	k0d0/u6f/1oQOPShOb9DLScrQZ67too8id5tiZ5MOR732BBHlRsahAyr+aI1LpnwaYC1wIJ4+hA
	P8Ra8Gmwv/J6kHOw9NoXEw5S10fJDOls0i5IydwzNOMBJjkNq6qG92dIUAop0=
X-Google-Smtp-Source: 
 AGHT+IHdnh2CZwcLOukGBTBOl/rbfWi+uMllXo84yviP61cPPLz1DsetagrM95kCvcrnTEyGDDdHpRiqAIxssK/Gk0k=
X-Received: by 2002:a17:906:f587:b0:ac1:da09:5d32 with SMTP id
 a640c23a62f3a-aca9b5b3623mr12135666b.6.1744133994544; Tue, 08 Apr 2025
 10:39:54 -0700 (PDT)
MIME-Version: 1.0
References: 
 <CAHJZqBAf3us8t3AwbjqfXvCYz-BZztYy0CLR5-00sfPD904z5A@mail.gmail.com>
In-Reply-To: 
 <CAHJZqBAf3us8t3AwbjqfXvCYz-BZztYy0CLR5-00sfPD904z5A@mail.gmail.com>
From: Don Seiler <don@seiler.us>
Date: Tue, 8 Apr 2025 12:39:42 -0500
X-Gm-Features: ATxdqUGori_xHMcNxljBFvBy8ZeY8Hw6ffZEN8C5C7BrHhaK15LETh64bAtshNA
Message-ID: 
 <CAHJZqBBKPQt1OX8Uzh+X3r+yuye6TpiBmVHNSC+ayoWiBo95Bw@mail.gmail.com>
Subject: Re: Errors installing/updating postgresql when /tmp has noexec
To: pgsql-pkg-debian@postgresql.org
Content-Type: multipart/alternative; boundary="0000000000002f9cde063247d747"
List-Id: <pgsql-pkg-debian.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-pkg-debian@lists.postgresql.org>
List-Owner: <mailto:pgsql-pkg-debian-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-pkg-debian>
Archived-At: 
 <https://www.postgresql.org/message-id/CAHJZqBBKPQt1OX8Uzh%2BX3r%2Byuye6TpiBmVHNSC%2BayoWiBo95Bw%40mail.gmail.com>
Precedence: bulk

--0000000000002f9cde063247d747
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

On Tue, Apr 8, 2025 at 12:21=E2=80=AFPM Don Seiler <don@seiler.us> wrote:

> After some recent system hardening, I'm now getting these errors when
> running apt to update our PGDG postgresql packages. In this case we are
> running postgresql-15 on Ubuntu 22.04 LTS.
>
> Preconfiguring packages ...
> Can't exec "/tmp/postgresql-15.config.rOsJHJ": Permission denied at
> /usr/lib/x86_64-linux-gnu/perl-base/IPC/Open3.pm line 178. open2: exec of
> /tmp/postgresql-15.config.rOsJHJ configure 15.8-1.pgdg22.04+1 failed:
> Permission denied at /usr/share/perl5/Debconf/ConfModule.pm line 59.
>
> This doesn't cause the install the fail though, and postgresql gets
> updated to 15.12 and starts up just fine. It's not clear to me if there i=
s
> now some danger/flaw in my installation or if this is something that can =
be
> ignored.
>
> It doesn't appear that I can just set an environment variable like TMP,
> TEMP, TEMPDIR etc to change this. I see that it can be changed via an apt
> config change[1].
>
> However, I'm wondering if this is something that's better changed in the
> packaging. Setting noexec on /tmp (and /var) is a standard CIS/DISA
> security requirement now.
>
> 1.
> https://askubuntu.com/questions/1452390/install-packages-on-systems-with-=
secured-tmp-and-var-noexec
>

For what it's worth, setting this apt config to specify a non-/tmp path
works around the problem:

$ cat /etc/apt/apt.conf.d/99tempdir.conf
APT::ExtractTemplates::TempDir "/some/other/tmp";

However it seems like we still shouldn't be trying to exec from /tmp by
default either. In the meantime we'll see how best to quickly deploy this
workaround to our fleet of machines.

Don.

--=20
Don Seiler
www.seiler.us

--0000000000002f9cde063247d747
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><br><div class=3D"gmail_quote gmail_quote_container"><div =
dir=3D"ltr" class=3D"gmail_attr">On Tue, Apr 8, 2025 at 12:21=E2=80=AFPM Do=
n Seiler &lt;<a href=3D"mailto:don@seiler.us">don@seiler.us</a>&gt; wrote:<=
br></div><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8e=
x;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir=3D"ltr"=
><div>After some recent system hardening, I&#39;m now getting these errors =
when running apt to update our PGDG postgresql packages. In this case we ar=
e running postgresql-15 on Ubuntu 22.04 LTS.</div><div><br></div>Preconfigu=
ring packages ...<br>Can&#39;t exec &quot;/tmp/postgresql-15.config.rOsJHJ&=
quot;: Permission denied at /usr/lib/x86_64-linux-gnu/perl-base/IPC/Open3.p=
m line 178. open2: exec of /tmp/postgresql-15.config.rOsJHJ configure 15.8-=
1.pgdg22.04+1 failed: Permission denied at /usr/share/perl5/Debconf/ConfMod=
ule.pm line 59.<div><br></div><div>This doesn&#39;t cause the install the f=
ail though, and postgresql gets updated to 15.12 and starts up just fine. I=
t&#39;s not clear to me if there is now some danger/flaw in my installation=
 or if this is something that can be ignored.</div><div><br></div><div>It d=
oesn&#39;t appear that I can just set an environment variable like TMP, TEM=
P, TEMPDIR etc to change this. I see that it can be changed via an apt conf=
ig change[1].</div><div><br></div><div>However, I&#39;m wondering if this i=
s something that&#39;s better changed in the packaging. Setting noexec on /=
tmp (and /var) is a standard CIS/DISA security requirement now.</div><div><=
br></div><div>1. <a href=3D"https://askubuntu.com/questions/1452390/install=
-packages-on-systems-with-secured-tmp-and-var-noexec" target=3D"_blank">htt=
ps://askubuntu.com/questions/1452390/install-packages-on-systems-with-secur=
ed-tmp-and-var-noexec</a></div></div>
</blockquote></div><div><br></div><div>For what it&#39;s worth, setting thi=
s apt config to specify a non-/tmp path works around the problem:</div><div=
><br></div><div><span style=3D"font-family:monospace">$ cat /etc/apt/apt.co=
nf.d/99tempdir.conf<br>APT::ExtractTemplates::TempDir &quot;/some/other/tmp=
&quot;;</span></div><div><br></div><div>However it seems like we still shou=
ldn&#39;t be trying to exec from /tmp by default either. In the meantime we=
&#39;ll see how best to quickly deploy this workaround to our fleet of mach=
ines.</div><div><br></div><div>Don.</div><div><br></div><span class=3D"gmai=
l_signature_prefix">-- </span><br><div dir=3D"ltr" class=3D"gmail_signature=
"><div dir=3D"ltr"><div>Don Seiler<br><a href=3D"http://www.seiler.us" targ=
et=3D"_blank">www.seiler.us</a></div></div></div></div>

--0000000000002f9cde063247d747--