Re: Errors installing/updating postgresql when /tmp has noexec

public inbox for [email protected]  
help / color / mirror / Atom feed

From: Christoph Berg <[email protected]>
To: Don Seiler <[email protected]>
Cc: [email protected]
Subject: Re: Errors installing/updating postgresql when /tmp has noexec
Date: Tue, 8 Apr 2025 22:14:19 +0200
Message-ID: <[email protected]> (raw)
In-Reply-To: <CAHJZqBBKPQt1OX8Uzh+X3r+yuye6TpiBmVHNSC+ayoWiBo95Bw@mail.gmail.com>
References: <CAHJZqBAf3us8t3AwbjqfXvCYz-BZztYy0CLR5-00sfPD904z5A@mail.gmail.com>
	<CAHJZqBBKPQt1OX8Uzh+X3r+yuye6TpiBmVHNSC+ayoWiBo95Bw@mail.gmail.com>

Re: Don Seiler
> > Preconfiguring packages ...
> > Can't exec "/tmp/postgresql-15.config.rOsJHJ": Permission denied at
> > /usr/lib/x86_64-linux-gnu/perl-base/IPC/Open3.pm line 178. open2: exec of
> > /tmp/postgresql-15.config.rOsJHJ configure 15.8-1.pgdg22.04+1 failed:
> > Permission denied at /usr/share/perl5/Debconf/ConfModule.pm line 59.

This is failing in debconf, a standard Debian tool.

> > However, I'm wondering if this is something that's better changed in the
> > packaging. Setting noexec on /tmp (and /var) is a standard CIS/DISA
> > security requirement now.

TBH, I doubt that it is standard practice because this change will
make any debconf-using package explode on installation. If at all,
it's optional extra hardening above standard where extra configuration
steps are expected.

> For what it's worth, setting this apt config to specify a non-/tmp path
> works around the problem:
> 
> $ cat /etc/apt/apt.conf.d/99tempdir.conf
> APT::ExtractTemplates::TempDir "/some/other/tmp";

You will have to include this workaround on all machines.

> However it seems like we still shouldn't be trying to exec from /tmp by
> default either. In the meantime we'll see how best to quickly deploy this
> workaround to our fleet of machines.

If you want to get this supported by default, work with Debian and/or
Ubuntu to get debconf updated. But this won't fix your 22.04 Ubuntu.

Christoph

view thread (3+ messages)

reply

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Reply to all the recipients using the --to and --cc options:
  reply via email

  To: [email protected]
  Cc: [email protected], [email protected]
  Subject: Re: Errors installing/updating postgresql when /tmp has noexec
  In-Reply-To: <[email protected]>

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox