Errors installing/updating postgresql when /tmp has noexec

public inbox for [email protected]  
help / color / mirror / Atom feed

Errors installing/updating postgresql when /tmp has noexec
3+ messages / 2 participants
[nested] [flat]

* Errors installing/updating postgresql when /tmp has noexec
@ 2025-04-08 17:21 Don Seiler <[email protected]>
  2025-04-08 17:39 ` Re: Errors installing/updating postgresql when /tmp has noexec Don Seiler <[email protected]>
  0 siblings, 1 reply; 3+ messages in thread

From: Don Seiler @ 2025-04-08 17:21 UTC (permalink / raw)
  To: pgsql-pkg-debian

After some recent system hardening, I'm now getting these errors when
running apt to update our PGDG postgresql packages. In this case we are
running postgresql-15 on Ubuntu 22.04 LTS.

Preconfiguring packages ...
Can't exec "/tmp/postgresql-15.config.rOsJHJ": Permission denied at
/usr/lib/x86_64-linux-gnu/perl-base/IPC/Open3.pm line 178. open2: exec of
/tmp/postgresql-15.config.rOsJHJ configure 15.8-1.pgdg22.04+1 failed:
Permission denied at /usr/share/perl5/Debconf/ConfModule.pm line 59.

This doesn't cause the install the fail though, and postgresql gets updated
to 15.12 and starts up just fine. It's not clear to me if there is now some
danger/flaw in my installation or if this is something that can be ignored.

It doesn't appear that I can just set an environment variable like TMP,
TEMP, TEMPDIR etc to change this. I see that it can be changed via an apt
config change[1].

However, I'm wondering if this is something that's better changed in the
packaging. Setting noexec on /tmp (and /var) is a standard CIS/DISA
security requirement now.

1.
https://askubuntu.com/questions/1452390/install-packages-on-systems-with-secured-tmp-and-var-noexec

-- 
Don Seiler
www.seiler.us

^ permalink  raw  reply  [nested|flat] 3+ messages in thread

* Re: Errors installing/updating postgresql when /tmp has noexec
  2025-04-08 17:21 Errors installing/updating postgresql when /tmp has noexec Don Seiler <[email protected]>
@ 2025-04-08 17:39 ` Don Seiler <[email protected]>
  2025-04-08 20:14   ` Re: Errors installing/updating postgresql when /tmp has noexec Christoph Berg <[email protected]>
  0 siblings, 1 reply; 3+ messages in thread

From: Don Seiler @ 2025-04-08 17:39 UTC (permalink / raw)
  To: pgsql-pkg-debian

On Tue, Apr 8, 2025 at 12:21 PM Don Seiler <[email protected]> wrote:

> After some recent system hardening, I'm now getting these errors when
> running apt to update our PGDG postgresql packages. In this case we are
> running postgresql-15 on Ubuntu 22.04 LTS.
>
> Preconfiguring packages ...
> Can't exec "/tmp/postgresql-15.config.rOsJHJ": Permission denied at
> /usr/lib/x86_64-linux-gnu/perl-base/IPC/Open3.pm line 178. open2: exec of
> /tmp/postgresql-15.config.rOsJHJ configure 15.8-1.pgdg22.04+1 failed:
> Permission denied at /usr/share/perl5/Debconf/ConfModule.pm line 59.
>
> This doesn't cause the install the fail though, and postgresql gets
> updated to 15.12 and starts up just fine. It's not clear to me if there is
> now some danger/flaw in my installation or if this is something that can be
> ignored.
>
> It doesn't appear that I can just set an environment variable like TMP,
> TEMP, TEMPDIR etc to change this. I see that it can be changed via an apt
> config change[1].
>
> However, I'm wondering if this is something that's better changed in the
> packaging. Setting noexec on /tmp (and /var) is a standard CIS/DISA
> security requirement now.
>
> 1.
> https://askubuntu.com/questions/1452390/install-packages-on-systems-with-secured-tmp-and-var-noexec
>

For what it's worth, setting this apt config to specify a non-/tmp path
works around the problem:

$ cat /etc/apt/apt.conf.d/99tempdir.conf
APT::ExtractTemplates::TempDir "/some/other/tmp";

However it seems like we still shouldn't be trying to exec from /tmp by
default either. In the meantime we'll see how best to quickly deploy this
workaround to our fleet of machines.

Don.

-- 
Don Seiler
www.seiler.us


^ permalink  raw  reply  [nested|flat] 3+ messages in thread

* Re: Errors installing/updating postgresql when /tmp has noexec
  2025-04-08 17:21 Errors installing/updating postgresql when /tmp has noexec Don Seiler <[email protected]>
  2025-04-08 17:39 ` Re: Errors installing/updating postgresql when /tmp has noexec Don Seiler <[email protected]>
@ 2025-04-08 20:14   ` Christoph Berg <[email protected]>
  0 siblings, 0 replies; 3+ messages in thread

From: Christoph Berg @ 2025-04-08 20:14 UTC (permalink / raw)
  To: Don Seiler <[email protected]>; +Cc: pgsql-pkg-debian

Re: Don Seiler
> > Preconfiguring packages ...
> > Can't exec "/tmp/postgresql-15.config.rOsJHJ": Permission denied at
> > /usr/lib/x86_64-linux-gnu/perl-base/IPC/Open3.pm line 178. open2: exec of
> > /tmp/postgresql-15.config.rOsJHJ configure 15.8-1.pgdg22.04+1 failed:
> > Permission denied at /usr/share/perl5/Debconf/ConfModule.pm line 59.

This is failing in debconf, a standard Debian tool.

> > However, I'm wondering if this is something that's better changed in the
> > packaging. Setting noexec on /tmp (and /var) is a standard CIS/DISA
> > security requirement now.

TBH, I doubt that it is standard practice because this change will
make any debconf-using package explode on installation. If at all,
it's optional extra hardening above standard where extra configuration
steps are expected.

> For what it's worth, setting this apt config to specify a non-/tmp path
> works around the problem:
> 
> $ cat /etc/apt/apt.conf.d/99tempdir.conf
> APT::ExtractTemplates::TempDir "/some/other/tmp";

You will have to include this workaround on all machines.

> However it seems like we still shouldn't be trying to exec from /tmp by
> default either. In the meantime we'll see how best to quickly deploy this
> workaround to our fleet of machines.

If you want to get this supported by default, work with Debian and/or
Ubuntu to get debconf updated. But this won't fix your 22.04 Ubuntu.

Christoph






^ permalink  raw  reply  [nested|flat] 3+ messages in thread

end of thread, other threads:[~2025-04-08 20:14 UTC | newest]

Thread overview: 3+ messages (download: mbox mbox.gz follow: Atom feed)
-- links below jump to the message on this page --
2025-04-08 17:21 Errors installing/updating postgresql when /tmp has noexec Don Seiler <[email protected]>
2025-04-08 17:39 ` Don Seiler <[email protected]>
2025-04-08 20:14   ` Christoph Berg <[email protected]>

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox