securing /tmp and noexec – apt considerations

There are many articles about securing /tmp
by having it on a separate disk and mounting it noexec.

When this is done (sometimes a datacentre might do it for security), on debian this can cause an issue.

When apt is preparing to install it will often try and extract package contents to a temporary directory.

By default /tmp will be used unless you tell your system otherwise.

So the advice I found in the comments of another article mentioned the following:

APT::ExtractTemplates::TempDir "/var/tmp";

…but where to put it?

Here is how I worked it.

Apt needs telling that you want to use somewhere other than /tmp as the place where it should extract package files during installation.

You want to set this as a permanent setting on your server.

Preferences for how apt should behave on a Debian Lenny system are in/etc/apt/apt.conf.d/ and so create a file named 50extracttemplates in that directory that looks like the following:

APT
{
  ExtractTemplates
  {
	TempDir "/var/local/tmp";
  };
};

Here I have set it to /var/local/tmp as my datacentre, in order to be super secure 🙂 also sets /var/tmp as noexec.

( Here is a copy of my 50extracttemplates file if you prefer to download rather than copy and paste )

Change what I have in my file to /var/tmp if that is okay for your setup, or if you want to stay with /var/local/tmp then ensure you have created that directory and given it the appropriate permissions.

To help identify where this error/restriction might appear on your system I now give two sample outputs of a package install of bind9. The first illustrates the problem. The second shows different behaviour now that apt is happier extracting things.

Problem:

The following NEW packages will be installed
  bind9
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 0B/255kB of archives.
After this operation, 778kB of additional disk space will be used.
Preconfiguring packages ...
Can't exec "/var/tmp/bind9.config.326141": Permission denied at /usr/share/perl/5.10/IPC/Open3.pm line 168.
open2: exec of /var/tmp/bind9.config.326141 configure  failed at /usr/share/perl5/Debconf/ConfModule.pm line 59
bind9 failed to preconfigure, with exit status 255

…and now with the fix in place…

The following NEW packages will be installed
  bind9
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 0B/255kB of archives.
After this operation, 778kB of additional disk space will be used.
Preconfiguring packages ...
Selecting previously deselected package bind9.

which looks a lot healthier.