On 12/02/2015 05:19 PM, Burton, Ross wrote: > > On 2 December 2015 at 23:16, Alejandro del Castillo > <alejandro.delcasti...@ni.com <mailto:alejandro.delcasti...@ni.com>> wrote: > > > Whilst the patch is fine, this is worrying as noexec /tmp shouldn't > break opkg. > > Maybe opkg should be changed to use something in /var for the scripts? > > Could you expand on why it's better to use /var instead of /tmp as the > default > sandbox location for opkg? I believe dpkg uses /var/lib/ and would like to > understand why that's better (to change opkg, if it makes sense) > > > Well in this case it's fairly common to mount /tmp as noexec on security > grounds, and to be limited in size (say a small tmpfs), whereas /var generally > has less restrictions.
I see, common attacks rely on being able to execute commands in /tmp. Do you mind opening an issue for opkg on bugzilla? -- Cheers, Alejandro -- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
