[Bug 1791241] Re: If /var/tmp is mounted with noexec the scripts skip the copy of some files

Aurryon social at staraurryon.com
Sun Sep 9 16:57:13 UTC 2018 

I now understand you viewpoint. Thanks a lot.

After some research, I found that setting the environment variable
TMPDIR to /tmp did the job for me (the variable is not set with su or
sudo when requesting root privileges):

- In my case, I was following the CIS guide that advises to put only
nosuid,nodev to /tmp. Therefore apt/dpkg worked fine as /tmp is
executable. This choice in fstab seemed good to me as /tmp is cleaned up
at each reboot/shutdown by systemd-tmpfiles-setup.service. For /var/tmp,
nosuid,nodev,noexec seemed also a good option to me as malware can use
this file system for persistence across all users and the folder is
never cleaned up.

- I noticed that mkinitramfs (in man pages) was defaulting to /var/tmp
when TMPDIR was not set. According to Ubuntu man this changed from /tmp
to /var/tmp between 14.04 and 16.04. The man also said it required an
executable filesystem (mea culpa). So I will check the debian mailing
list to understand this change in a better way.

This message was just to explain you why I posted this bug report in launchpad.net.
Anyway, have a nice day and keep building a nice distro,

Regards,

Aurryon

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to cryptsetup in Ubuntu.
https://bugs.launchpad.net/bugs/1791241

Title:
  If /var/tmp is mounted with noexec the scripts skip the copy of some
  files

Status in cryptsetup package in Ubuntu:
  Triaged

Bug description:
  Hello,

  Hardening guides (Securing Debian, CIS, etc...) advise to mount
  /dev/tmp with the noexec option. Initramfs hooks are using the
  /usr/bin/test utility to check if a file is executable to manage
  dependencies (if [! -x /myfile]; then) and copy new files. Therefore,
  if /dev/tmp is mounted with noexec, the test utility return false
  instead of true which breaks the logic.

  How should we handle this case? Is ubuntu officially supporting
  hardening (I think so as Debian is doing it)?

  Regards,

  Aurryon

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cryptsetup/+bug/1791241/+subscriptions

More information about the foundations-bugs mailing list