5

I plan to use this line in /etc/fstab on Ubuntu a 14.04 server running LAMP:

/run/shm/tmp  tmpfs   nosuid,nodev,noexec,size=8G   0  0

My question is, does anyone know if I will create problems by mounting /tmp with nosuid and noexec?

Edited Jan-31-2015: The answer referred to above in "Best way to mount /tmp in fstab?" does not answer my question about what problems might occur if I mount /tmp with nosuid and noexec. It simply mentions that its not necessary to do so, and that something "might" break if I use those options.

The answer below, by aFoP and muru does answer my question by enumerating what will fail, and how to work around the problem.

Thanks aFoP and muru!

LiveWireBT
  • 28,763
dwarfplanet9
  • 51
  • 1
  • 5
  • 1
    This is not a duplicate. This question asks what possible issues a user will run into, the other asks how best to implement the solution. – Citricguy Feb 19 '15 at 08:56
  • I am voting to reopen this question. I would have asked a question about finding packages which rely on /tmp having exec permissions. I have begun writing a script to deal with this and I found many questions in other places about the symptoms with no clear answer. There are also guidelines like Center for Internet Security which recommend to configure noexec on /tmp an others but they don't tell you this and they link to bug reports seemingly unrelated leaving readers in limbo with symptoms. A great dumpster fire from my point of view. I would even offer a 1k bounty on an answer. – LiveWireBT Mar 08 '21 at 22:35
  • @LiveWireBT then effectively it's unanswerable, isn't it? You can't really predict which ones might need an executable /tmp, and AFAIK there isn't a Debian policy that says packages must support a noexec /tmp. So what will the post become? A laundry list of random unrelated packages that have some problem or the other with a noexec /tmp? – muru Mar 09 '21 at 06:10
  • @muru Sorry you misunderstood me. I though I would have to ask a complex question because I did not see the capabilities of the underlying package manager configuration. This is in part due to questions like these get close voted or receive poor answers while the actual example where here should be more prominent and well known so people learn to configure their systems better at the root cause of their problem instead of building workarounds. – LiveWireBT Mar 09 '21 at 08:10

1 Answers1

7

I use the entry tmpfs /tmp tmpfs defaults,noexec,nosuid 0 0 in my fstab.

Two problems can occur: during apt-get upgrade the updates cannot be installed. I solved the problem by creating a file /etc/apt/apt.conf with the following lines in it:

DPkg::Pre-Invoke{"mount -o remount,exec /tmp";};
DPkg::Post-Invoke {"mount -o remount,defaults,noexec,nosuid /tmp";};

This way apt will remount /tmp with exec temporarily, to be able to execute the updates.

Another issue I realised that when I needed to run manually update-initramfs -u, it didn't run until I remounted /tmp with exec again:

mount -o remount,exec /tmp

when it finished I remounted the default setting again...

mount -o remount,defaults,noexec,nosuid /tmp
muru
  • 197,895
  • 55
  • 485
  • 740
aFoP
  • 336
  • 1
  • 5