There are many articles about securing /tmp
by having it on a separate disk and mounting it noexec
.
When this is done (sometimes a datacentre might do it for security), on debian this can cause an issue.
When apt is preparing to install it will often try and extract package contents to a temporary directory.
By default /tmp
will be used unless you tell your system otherwise.
So the advice I found in the comments of another article mentioned the following:
APT::ExtractTemplates::TempDir "/var/tmp";
…but where to put it?
Here is how I worked it.
Apt needs telling that you want to use somewhere other than /tmp
as the place where it should extract package files during installation.
You want to set this as a permanent setting on your server.
Preferences for how apt should behave on a Debian Lenny system are in/etc/apt/apt.conf.d/
and so create a file named 50extracttemplates in that directory that looks like the following:
APT { ExtractTemplates { TempDir "/var/local/tmp"; }; };
Here I have set it to /var/local/tmp
as my datacentre, in order to be super secure 🙂 also sets /var/tmp
as noexec
.
( Here is a copy of my 50extracttemplates file if you prefer to download rather than copy and paste )
Change what I have in my file to /var/tmp
if that is okay for your setup, or if you want to stay with /var/local/tmp
then ensure you have created that directory and given it the appropriate permissions.
To help identify where this error/restriction might appear on your system I now give two sample outputs of a package install of bind9. The first illustrates the problem. The second shows different behaviour now that apt is happier extracting things.
Problem:
The following NEW packages will be installed bind9 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded. Need to get 0B/255kB of archives. After this operation, 778kB of additional disk space will be used. Preconfiguring packages ... Can't exec "/var/tmp/bind9.config.326141": Permission denied at /usr/share/perl/5.10/IPC/Open3.pm line 168. open2: exec of /var/tmp/bind9.config.326141 configure failed at /usr/share/perl5/Debconf/ConfModule.pm line 59 bind9 failed to preconfigure, with exit status 255
…and now with the fix in place…
The following NEW packages will be installed bind9 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded. Need to get 0B/255kB of archives. After this operation, 778kB of additional disk space will be used. Preconfiguring packages ... Selecting previously deselected package bind9.
which looks a lot healthier.