Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1u2FL1-00FEFv-6v for pgsql-pkg-debian@arkaria.postgresql.org; Tue, 08 Apr 2025 20:14:27 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1u2FKz-00Ewka-Lj for pgsql-pkg-debian@arkaria.postgresql.org; Tue, 08 Apr 2025 20:14:25 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1u2FKz-00EwkT-Eu for pgsql-pkg-debian@lists.postgresql.org; Tue, 08 Apr 2025 20:14:25 +0000 Received: from mout-p-201.mailbox.org ([2001:67c:2050:0:465::201]) by magus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1u2FKx-004CJZ-1J for pgsql-pkg-debian@postgresql.org; Tue, 08 Apr 2025 20:14:25 +0000 Received: from smtp202.mailbox.org (smtp202.mailbox.org [10.196.197.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-p-201.mailbox.org (Postfix) with ESMTPS id 4ZXHNX0Xmkz9tp6; Tue, 8 Apr 2025 22:14:20 +0200 (CEST) Date: Tue, 8 Apr 2025 22:14:19 +0200 From: Christoph Berg To: Don Seiler Cc: pgsql-pkg-debian@postgresql.org Subject: Re: Errors installing/updating postgresql when /tmp has noexec Message-ID: Mail-Followup-To: Christoph Berg , Don Seiler , pgsql-pkg-debian@postgresql.org References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk Re: Don Seiler > > Preconfiguring packages ... > > Can't exec "/tmp/postgresql-15.config.rOsJHJ": Permission denied at > > /usr/lib/x86_64-linux-gnu/perl-base/IPC/Open3.pm line 178. open2: exec of > > /tmp/postgresql-15.config.rOsJHJ configure 15.8-1.pgdg22.04+1 failed: > > Permission denied at /usr/share/perl5/Debconf/ConfModule.pm line 59. This is failing in debconf, a standard Debian tool. > > However, I'm wondering if this is something that's better changed in the > > packaging. Setting noexec on /tmp (and /var) is a standard CIS/DISA > > security requirement now. TBH, I doubt that it is standard practice because this change will make any debconf-using package explode on installation. If at all, it's optional extra hardening above standard where extra configuration steps are expected. > For what it's worth, setting this apt config to specify a non-/tmp path > works around the problem: > > $ cat /etc/apt/apt.conf.d/99tempdir.conf > APT::ExtractTemplates::TempDir "/some/other/tmp"; You will have to include this workaround on all machines. > However it seems like we still shouldn't be trying to exec from /tmp by > default either. In the meantime we'll see how best to quickly deploy this > workaround to our fleet of machines. If you want to get this supported by default, work with Debian and/or Ubuntu to get debconf updated. But this won't fix your 22.04 Ubuntu. Christoph