[Bug 1791241] Re: If /var/tmp is mounted with noexec the scripts skip the copy of some files

Steve Langasek steve.langasek at canonical.com
Fri Sep 7 21:13:50 UTC 2018 

It is reasonable to request that these hooks use -e instead of -x for
maximum compatibility.  However:

> Is ubuntu officially supporting hardening (I think so as Debian is
doing it)?

No.  The existence of third-party "hardening" guides does not translate
to Ubuntu supporting this configuration.  dpkg itself relies
*extensively* on the ability to execute scripts from /tmp, as described
at <https://askubuntu.com/questions/574259/will-mounting-tmp-with-
noexec-and-nosuid-cause-problems>.

You mention the Securing Debian HOWTO, which does not say that this is recommended or mandatory for securing a system, and specifically calls out problems with noexec /tmp and the package manager. 
 https://www.debian.org/doc/manuals/securing-debian-howto/ch4.en.html#s4.10  (The linked bug is closed with a recommended workaround.  If you were using that workaround, you would not be having problems with cryptsetup's hooks, since initramfs-tools also respects TMPDIR.)

And these hooks come from Debian as-is.  So this is no more supported by
the cryptsetup package in Debian than it is in Ubuntu.

** Changed in: cryptsetup (Ubuntu)
   Importance: Undecided => Wishlist

** Changed in: cryptsetup (Ubuntu)
       Status: New => Triaged

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to cryptsetup in Ubuntu.
https://bugs.launchpad.net/bugs/1791241

Title:
  If /var/tmp is mounted with noexec the scripts skip the copy of some
  files

Status in cryptsetup package in Ubuntu:
  Triaged

Bug description:
  Hello,

  Hardening guides (Securing Debian, CIS, etc...) advise to mount
  /dev/tmp with the noexec option. Initramfs hooks are using the
  /usr/bin/test utility to check if a file is executable to manage
  dependencies (if [! -x /myfile]; then) and copy new files. Therefore,
  if /dev/tmp is mounted with noexec, the test utility return false
  instead of true which breaks the logic.

  How should we handle this case? Is ubuntu officially supporting
  hardening (I think so as Debian is doing it)?

  Regards,

  Aurryon

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cryptsetup/+bug/1791241/+subscriptions

More information about the foundations-bugs mailing list