You are not logged in.
- Topics: Active | Unanswered
#1 2010-11-30 09:34:32
- Fruity
- Member
- Registered: 2009-12-16
- Posts: 198
Does pacman ever have to execute scripts etc from /tmp
I read in another thread about setting noexec on /tmp as being a small step in making systems more secure. But if I do this (and nosuid?) Might it cause problems, for example with pacman or yaourt. Can anyone think of a reason not to noexec,nosuid on /tmp?
Offline
#2 2010-11-30 11:00:34
- Allan
- Pacman
- From: Brisbane, AU
- Registered: 2007-06-09
- Posts: 11,672
- Website
Re: Does pacman ever have to execute scripts etc from /tmp
pacman should be fine. But I thought yaourt builds in /tmp (never used it so I may be wrong...).
Offline
#3 2010-11-30 11:44:45
- dyscoria
- Member
- Registered: 2008-01-10
- Posts: 1,007
Re: Does pacman ever have to execute scripts etc from /tmp
I have both /tmp and /var mounted noexec,nodev,nosuid.
Compilling some packages (e.g.ffmpeg) require /tmp to be remount exec (mount -o remount,exec /tmp) but normal usage shouldn't be affected.
Mount /dev/shm and /home noexec too if you want to further increase security.
Last edited by dyscoria (2010-11-30 11:44:58)
flack 2.0.6: menu-driven BASH script to easily tag FLAC files (AUR)
knock-once 1.2: BASH script to easily create/send one-time sequences for knockd (forum/AUR)
Offline
#4 2010-11-30 18:23:33
- Mr.Elendig
- #archlinux@freenode channel op
- From: The intertubes
- Registered: 2004-11-07
- Posts: 4,097
Re: Does pacman ever have to execute scripts etc from /tmp
Just build in $HOME instead of in /tmp
Evil #archlinux@libera.chat channel op and general support dude.
. files on github, Screenshots, Random pics and the rest
Offline
#5 2010-11-30 21:16:47
- dyscoria
- Member
- Registered: 2008-01-10
- Posts: 1,007
Re: Does pacman ever have to execute scripts etc from /tmp
Just build in $HOME instead of in /tmp
ffmpeg and qemu and maybe other packages execute scripts in /tmp no matter where you compile.
And my $HOME is actually mounted noexec anyways 
I mount a tmpfs with exec only when I need to compile stuff so most of my partitions can be mounted noexec for most/all of the time (/tmp /home /var /dev/shm).
flack 2.0.6: menu-driven BASH script to easily tag FLAC files (AUR)
knock-once 1.2: BASH script to easily create/send one-time sequences for knockd (forum/AUR)
Offline
#6 2010-12-01 16:31:49
- Leonid.I
- Member
- From: Aethyr
- Registered: 2009-03-22
- Posts: 999
Re: Does pacman ever have to execute scripts etc from /tmp
qemu and maybe other packages execute scripts in /tmp no matter where you compile.
can you elaborate on this?
Arch Linux is more than just GNU/Linux -- it's an adventure
pkill -9 systemd
Offline
#7 2010-12-01 21:22:44
- dyscoria
- Member
- Registered: 2008-01-10
- Posts: 1,007
Re: Does pacman ever have to execute scripts etc from /tmp
dyscoria wrote:qemu and maybe other packages execute scripts in /tmp no matter where you compile.
can you elaborate on this?
mount /tmp noexec and then try to compile ffmpeg from abs (/var/abs/extra/ffmpeg). Last time I checked, it dies with error message.
I'm not really sure what's happening with qemu. It copies scripts to /tmp and then fails to run them, but then carries on compiling anyway and completes successfully, but don't know if it breaks something. Probably does, didn't test.
flack 2.0.6: menu-driven BASH script to easily tag FLAC files (AUR)
knock-once 1.2: BASH script to easily create/send one-time sequences for knockd (forum/AUR)
Offline