Hi, as we had just a discussion about this bug report on IRC, AFAICS there are a couple of reasons and possibilities:
re usage of /var: ~~~~~~~~~~~~~~~~ dpkg puts the package data into /var/lib/dpkg/info. This includes the list of files, the list of conffiles, templates, md5sums and also the maintainer scripts of each package. According to FHS: | /var contains variable data files. This includes spool directories and | files, administrative and logging data, and transient and temporary | files. re /var/lib: | This hierarchy holds state information pertaining to an application or | the system. The usage of /var/lib/dpkg matches that description IMHO. possible ways for /var to be no-exec ==================================== per local admin 1. use a different place via local configuration ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Technically, adding admindir=/some/other/place to /etc/dpkg/dpkg.cfg (and an appropriate Dir::State::status to apts configuration) should work. Any sysadmin can do that on his own system. 2. make /var/lib/dpkg/info an own mountpoint ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Either create a new partition, or re-mount the existing partition with some mount --bind /var/lib/dpkg/info /var/lib/dpkg/info; mount /var/lib/dpkg/info -o exec - you might call that ugly but it works. per changes to dpkg 3. copy scripts around if necessary ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Most maintainer scripts are sh/bash/dash/perl-scripts. These can be executed even if noexec is in place by explicit call via /bin/sh (or whatever) -- basically an re-implementation of kernel code. Not nice but would work. All other "scripts" would need to be copied somewhere else prior execution (and I think it's sensible to disallow binary maintainer scripts except for very few packages, including e.g. bash itself). 4. remount /var with exec ~~~~~~~~~~~~~~~~~~~~~~~~~ AFAICS there is no option within dpkg (or not documented) to always execute commands prior to an dpkg "writing" invocation (while there is within apt). It might make sense to remount /var with exec in case it's noexec before running any scripts. I think adding hooks for dpkg to run scripts pre-/post-changing requests (e.g. configure, remove, install, ...) might make sense. Of course, there are a couple of more options like e.g. changing the location on new installs, but as said, I consider the current place to be the correct one according to FHS. Andi -- To UNSUBSCRIBE, email to debian-dpkg-bugs-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
