Your message dated Thu, 10 Nov 2005 12:19:14 -0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#338428: dpkg: fails if /tmp or /var are noexec
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 10 Nov 2005 08:56:56 +0000
>From [EMAIL PROTECTED] Thu Nov 10 00:56:56 2005
Return-path: <[EMAIL PROTECTED]>
Received: from rusty.kulnet.kuleuven.ac.be ([134.58.240.42])
by spohr.debian.org with esmtp (Exim 4.50)
id 1Ea8Eq-00022S-Dz
for [EMAIL PROTECTED]; Thu, 10 Nov 2005 00:56:56 -0800
Received: from localhost (localhost [127.0.0.1])
by rusty.kulnet.kuleuven.ac.be (Postfix) with ESMTP id 22B561D7409
for <[EMAIL PROTECTED]>; Thu, 10 Nov 2005 09:56:25 +0100 (CET)
Received: from smtp02.kuleuven.be (lepidus.kulnet.kuleuven.ac.be
[134.58.240.72])
by rusty.kulnet.kuleuven.ac.be (Postfix) with ESMTP id 0DB251D7469
for <[EMAIL PROTECTED]>; Thu, 10 Nov 2005 09:56:24 +0100 (CET)
Received: from smtp02.kuleuven.be (localhost.localdomain [127.0.0.1])
by smtp02.kuleuven.be (Postfix) with ESMTP id D29E22CAAA9;
Thu, 10 Nov 2005 09:56:23 +0100 (CET)
Received: from electa-30.esat.kuleuven.be (electa-30.esat.kuleuven.be
[10.33.135.40])
by smtp02.kuleuven.be (Postfix) with ESMTP id C44132CAA3C
for <[EMAIL PROTECTED]>; Thu, 10 Nov 2005 09:56:23 +0100 (CET)
Received: by electa-30.esat.kuleuven.be (Postfix, from userid 2007)
id C1DA01C30E; Thu, 10 Nov 2005 09:56:20 +0100 (CET)
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: "Pascal A. Dupuis" <[EMAIL PROTECTED]>
To: Debian Bug Tracking System <[EMAIL PROTECTED]>
Subject: dpkg: fails if /tmp or /var are noexec
X-Mailer: reportbug 3.17
Date: Thu, 10 Nov 2005 09:56:19 +0100
Message-Id: <[EMAIL PROTECTED]>
X-Virus-Scanned: by KULeuven Antivirus Cluster
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-7.0 required=4.0 tests=BAYES_01,HAS_PACKAGE
autolearn=no version=2.60-bugs.debian.org_2005_01_02
Package: dpkg
Version: 1.13.11.0.1
Severity: wishlist
Hello,
I consider a good security practice to have /tmp and /var mounted with
the most restrictive set of permissions. Having nodev and nosuid is a
good first step, but having noexec set disrupt dpkg.
Possible workarounds:
1) have dpkg store/copy its executable scripts elsewhere.
2) avoid relying on the auto-exec features of the scripts. F.i, if the
first line is #!/usr/bin/perl, do
exec /usr/bin/perl $scriptname
instead of
exec $scriptname
and, at the same time, sanitize the call: define a list of
allowable external helper programs, and refuse to launch unknown one.
3) design a wrapper that test if /tmp of /var are noexec, remount them
with exec, perform the dpkg task, and restore the original state. This
way, the "door" is only open during dpkg operations
Best regards
Pascal Dupuis
-- System Information:
Debian Release: testing/unstable
APT prefers testing
APT policy: (500, 'testing')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.14
Locale: LANG=fr_BE.UTF-8, LC_CTYPE=fr_BE.UTF-8 (charmap=UTF-8)
Versions of packages dpkg depends on:
ii coreutils [textutils] 5.2.1-2.1 The GNU core utilities
ii libc6 2.3.5-6 GNU C Library: Shared libraries an
ii textutils 5.2.1-2.1 The GNU text file processing utili
dpkg recommends no packages.
-- no debconf information
Disclaimer: http://www.kuleuven.be/cwis/email_disclaimer.htm
---------------------------------------
Received: (at 338428-done) by bugs.debian.org; 10 Nov 2005 12:27:19 +0000
>From [EMAIL PROTECTED] Thu Nov 10 04:27:19 2005
Return-path: <[EMAIL PROTECTED]>
Received: from mail0.avcosystems.co.uk ([195.224.236.86])
by spohr.debian.org with esmtp (Exim 4.50)
id 1EaBWR-0005Vp-A0
for [EMAIL PROTECTED]; Thu, 10 Nov 2005 04:27:19 -0800
Received: from lexx.avco ([192.168.0.1] helo=andromeda)
by mail0.avcosystems.co.uk with esmtp (Exim 4.54 #1 (Debian))
id 1EaBVw-0001zJ-1z; Thu, 10 Nov 2005 12:26:48 +0000
Received: from 127.0.0.1 (AVG SMTP 7.1.362 [267.12.8/165]); Thu, 10 Nov 2005
12:26:46 +0000
Message-ID: <[EMAIL PROTECTED]>
From: "Adam D. Barratt" <[EMAIL PROTECTED]>
To: "Pascal A. Dupuis" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
References: <[EMAIL PROTECTED]>
Subject: Re: Bug#338428: dpkg: fails if /tmp or /var are noexec
Date: Thu, 10 Nov 2005 12:19:14 -0000
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1506
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1506
X-AVCO-Scan-Signature: a4171557ad3abf8f56120b889113e8d3
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-3.0 required=4.0 tests=HAS_BUG_NUMBER autolearn=no
version=2.60-bugs.debian.org_2005_01_02
Hi,
On Thursday, November 10, 2005 8:56 AM, Pascal A. Dupuis
<[EMAIL PROTECTED]> wrote:
> Package: dpkg
> Version: 1.13.11.0.1
> Severity: wishlist
>
> Hello,
>
> I consider a good security practice to have /tmp and /var mounted with
> the most restrictive set of permissions. Having nodev and nosuid is a
> good first step, but having noexec set disrupt dpkg.
The dpkg maintainers have previously stated that they will not change dpkg's
behaviour to work around settings such as noexec, so I'm closing this bug.
See #295106 for some reasoning and suggestions.
Regards,
Adam
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
