subject:"Bug#481295\: Preconfiguring of openssh\-servers fails due to mount option noexec on \/tmp"

Bug#481295: Preconfiguring of openssh-servers fails due to mount option noexec on /tmp

2008-05-15 Thread Meinhard Schneider

Package: openssh-server
Version: 1:4.3p2-9etch1
Severity: important

Just updated openssh-* and got this message:
[...]
Preconfiguring packages ...
Can't exec /tmp/openssh-server.config.35001: Permission denied at 
/usr/share/perl/5.8/IPC/Open3.pm line 168.
open2: exec of /tmp/openssh-server.config.35001 configure 1:4.3p2-9 failed at 
/usr/share/perl5/Debconf/ConfModule.pm line 58
openssh-server failed to preconfigure, with exit status 9
[...]

This error comes due to mount options for /tmp:
/dev/md1 on / type ext3 (rw,errors=remount-ro)
tmpfs on /lib/init/rw type tmpfs (rw,nosuid,mode=0755)
proc on /proc type proc (rw,noexec,nosuid,nodev)
sysfs on /sys type sysfs (rw,noexec,nosuid,nodev)
udev on /dev type tmpfs (rw,mode=0755)
tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev)
devpts on /dev/pts type devpts (rw,noexec,nosuid,gid=5,mode=620)
/dev/mapper/vg00-home_lv on /home type ext3 
(rw,nosuid,nodev,acl,usrquota,grpquota)
/dev/mapper/vg00-tmp_lv on /tmp type ext3 (rw,noexec,nosuid,nodev)
/dev/mapper/vg00-usr_lv on /usr type ext3 (rw,nodev)
/dev/mapper/vg00-var_lv on /var type ext3 (rw,nosuid,nodev)
/dev/mapper/vg00-varlog_lv on /var/log type ext3 (rw,noexec,nosuid,nodev)
/dev/mapper/vg00-varspoolsquid_lv on /var/spool/squid type ext3 
(rw,noexec,nosuid,nodev)
/dev/mapper/vg00-vartmp_lv on /var/tmp type ext3 (rw,noexec,nosuid,nodev)


I believe it is legal to mount /tmp without binary exec support for
security improvement. Executing scripts from /tmp is IMHO a very bad
idea.

-- System Information:
Debian Release: 4.0
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.24.3
Locale: LANG=C, [EMAIL PROTECTED] (charmap=ISO-8859-15)

Versions of packages openssh-server depends on:
ii  add 3.102Add and remove users and groups
ii  deb 1.5.11etch1  Debian configuration management sy
ii  dpk 1.13.25  package maintenance system for Deb
ii  lib 2.3.6.ds1-13etch5GNU C Library: Shared libraries
ii  lib 1.39+1.40-WIP-2006.11.14+dfsg-2etch1 common error description library
ii  lib 1.4.4-7etch5 MIT Kerberos runtime libraries
ii  lib 0.79-5   Pluggable Authentication Modules f
ii  lib 0.79-5   Runtime support for the PAM librar
ii  lib 0.79-5   Pluggable Authentication Modules l
ii  lib 1.32-3   SELinux shared libraries
ii  lib 0.9.8c-4etch3SSL shared libraries
ii  lib 7.6.dbs-13   Wietse Venema's TCP wrappers libra
ii  ope 0.1.1list of blacklisted OpenSSH RSA an
ii  ope 1:4.3p2-9etch1   Secure shell client, an rlogin/rsh
ii  zli 1:1.2.3-13   compression library - runtime

openssh-server recommends no packages.

-- debconf information excluded



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#481295: Preconfiguring of openssh-servers fails due to mount option noexec on /tmp

2008-05-15 Thread Colin Watson

reassign 481295 debconf
forcemerge 223683 481295
thanks

On Thu, May 15, 2008 at 08:05:44AM +0200, Meinhard Schneider wrote:
 Package: openssh-server
 Version: 1:4.3p2-9etch1
 Severity: important
 
 Just updated openssh-* and got this message:
 [...]
 Preconfiguring packages ...
 Can't exec /tmp/openssh-server.config.35001: Permission denied at 
 /usr/share/perl/5.8/IPC/Open3.pm line 168.
 open2: exec of /tmp/openssh-server.config.35001 configure 1:4.3p2-9 failed at 
 /usr/share/perl5/Debconf/ConfModule.pm line 58
 openssh-server failed to preconfigure, with exit status 9
 [...]

This is a well-known and long-standing behaviour of debconf, and not
anything that openssh itself is doing specially. Note that the noexec
option is fairly useless for security purposes (except to slow people
down a little bit) as you could in principle just run the script
manually through an appropriate interpreter.

 I believe it is legal to mount /tmp without binary exec support for
 security improvement. Executing scripts from /tmp is IMHO a very bad
 idea.

If you want to do this, you need to remount it exec while installing
Debian packages.

Cheers,

-- 
Colin Watson   [EMAIL PROTECTED]



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#481295: Preconfiguring of openssh-servers fails due to mount option noexec on /tmp

Bug#481295: Preconfiguring of openssh-servers fails due to mount option noexec on /tmp

2 matches

Site Navigation

Mail list logo

Footer information