Debian Bug report logs - #995793
exim4-base: /tmp partition has noexec mount option; exim4-base fails

version graph

Package: apt; Maintainer for apt is APT Development Team <[email protected]>; Source for apt is src:apt (PTS, buildd, popcon).

Reported by: Steve Egbert <[email protected]>

Date: Tue, 5 Oct 2021 19:27:01 UTC

Severity: normal

Merged with 546911

Found in versions apt/1.8.1, apt/0.7.23.1

Reply or subscribe to this bug.

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to [email protected], [email protected], Exim4 Maintainers <[email protected]>:
Bug#995793; Package exim4-base. (Tue, 05 Oct 2021 19:27:03 GMT) (full text, mbox, link).

Acknowledgement sent to Steve Egbert <[email protected]>:
New Bug report received and forwarded. Copy sent to [email protected], Exim4 Maintainers <[email protected]>. (Tue, 05 Oct 2021 19:27:03 GMT) (full text, mbox, link).

Message #5 received at [email protected] (full text, mbox, reply):

From: Steve Egbert <[email protected]>
To: Debian Bug Tracking System <[email protected]>
Subject: exim4-base: /tmp partition has noexec mount option; exim4-base fails
Date: Tue, 05 Oct 2021 15:22:56 -0400
Package: exim4-base
Version: 4.94.2-7
Severity: grave
Justification: renders package unusable
X-Debbugs-Cc: [email protected]

Dear Maintainer,

Tried to installed 'exim4-base' after its most recent update and failed.


Implemented a rough draft of CIS Security Debian 11.

The portion about /tmp mount partition having that 'noexec' mount
option.

Well, we will not be able to install exim4-base package anymore 
if this hardening effort continues.

Besides, who is still trying execute a script in /tmp directory.

Correct action is to do 'bash /tmp/your-script' or 'perl
/tmp/your-script'.

Not to execute directly from '/tmp/your-script'.

Best action is not to execute that script directly in /tmp.



-- System Information:
Debian Release: 11.0
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.10.46 (SMP w/4 CPU threads)
Kernel taint flags: TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

-- no debconf information

Information forwarded to [email protected], Exim4 Maintainers <[email protected]>:
Bug#995793; Package exim4-base. (Tue, 05 Oct 2021 19:51:02 GMT) (full text, mbox, link).

Acknowledgement sent to S Egbert <[email protected]>:
Extra info received and forwarded to list. Copy sent to Exim4 Maintainers <[email protected]>. (Tue, 05 Oct 2021 19:51:02 GMT) (full text, mbox, link).

Message #10 received at [email protected] (full text, mbox, reply):

From: S Egbert <[email protected]>
To: Steve Egbert <[email protected]>, [email protected]
Cc: Debian Bug Tracking System <[email protected]>
Subject: Re: Bug#995793: exim4-base: /tmp partition has noexec mount option; exim4-base fails
Date: Tue, 5 Oct 2021 15:49:58 -0400
WORKAROUND
Remove the “no exec” from /tmp mount point options in /etcfstab, reboot, then attempt ‘apt upgrade exim4-base’ so that Perl script for ‘exam-config’ can continue. 

OUTPUT of failed upgrade:

~# apt upgrade exim4-base
[?2004l

Reading package lists... 0%

Reading package lists... 100%

Reading package lists... Done


Building dependency tree... 0%

Building dependency tree... 0%

Building dependency tree... 50%

Building dependency tree... 50%

Building dependency tree... Done


Reading state information... 0% 

Reading state information... 0%

Reading state information... Done


Calculating upgrade... 0%

Calculating upgrade... 10%

Calculating upgrade... Done

The following packages were automatically installed and are no longer required:
  libevent-core-2.1-7 libevent-pthreads-2.1-7 libopts25 sntp
Use 'apt autoremove' to remove them.
The following packages will be upgraded:
  exim4-base exim4-config tzdata
3 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
8 not fully installed or removed.
Need to get 0 B/1,906 kB of archives.
After this operation, 2,784 kB of additional disk space will be used.
Do you want to continue? [Y/n] y
Reading changelogs... 25%
Reading changelogs... 50%
Reading changelogs... 100%
                          
Reading changelogs... Done
Preconfiguring packages ...
Can't exec "/tmp/tzdata.config.jtoGAt": Permission denied at /usr/lib/x86_64-linux-gnu/perl-base/IPC/Open3.pm line 178.
open2: exec of /tmp/tzdata.config.jtoGAt configure 2021a-1 failed: Permission denied at /usr/share/perl5/Debconf/ConfModule.pm line 59.

78(Reading database ... 
(Reading database ... 5%
(Reading database ... 10%
(Reading database ... 15%
(Reading database ... 20%
(Reading database ... 25%
(Reading database ... 30%
(Reading database ... 35%
(Reading database ... 40%
(Reading database ... 45%
(Reading database ... 50%
(Reading database ... 55%
(Reading database ... 60%
(Reading database ... 65%
(Reading database ... 70%
(Reading database ... 75%
(Reading database ... 80%
(Reading database ... 85%
(Reading database ... 90%
(Reading database ... 95%
(Reading database ... 100%
(Reading database ... 181409 files and directories currently installed.)
Preparing to unpack .../tzdata_2021a-1+deb11u1_all.deb ...
7Progress: [  0%] [..........................................................] 87Progress: [  5%] [##........................................................] 8Unpacking tzdata (2021a-1+deb11u1) over (2021a-1) ...
dpkg (subprocess): unable to execute old tzdata package post-removal script (/var/lib/dpkg/info/tzdata.postrm): Permission denied
dpkg: warning: old tzdata package post-removal script subprocess returned error exit status 2
dpkg: trying script from the new package instead ...
dpkg (subprocess): unable to execute new tzdata package post-removal script (/var/lib/dpkg/tmp.ci/postrm): Permission denied
dpkg: error processing archive /var/cache/apt/archives/tzdata_2021a-1+deb11u1_all.deb (--unpack):
 new tzdata package post-removal script subprocess returned error exit status 2
dpkg (subprocess): unable to execute new tzdata package post-removal script (/var/lib/dpkg/tmp.ci/postrm): Permission denied
dpkg: error while cleaning up:
 new tzdata package post-removal script subprocess returned error exit status 2
Preparing to unpack .../exim4-config_4.94.2-7_all.deb ...
7Progress: [ 10%] [#####.....................................................] 8dpkg (subprocess): unable to execute new exim4-config package pre-installation script (/var/lib/dpkg/tmp.ci/preinst): Permission denied
dpkg: error processing archive /var/cache/apt/archives/exim4-config_4.94.2-7_all.deb (--unpack):
 new exim4-config package pre-installation script subprocess returned error exit status 2
dpkg (subprocess): unable to execute new exim4-config package post-removal script (/var/lib/dpkg/tmp.ci/postrm): Permission denied
dpkg: error while cleaning up:
 new exim4-config package post-removal script subprocess returned error exit status 2
Preparing to unpack .../exim4-base_4.94.2-7_amd64.deb ...
7Progress: [ 14%] [########..................................................] 8dpkg (subprocess): unable to execute new exim4-base package pre-installation script (/var/lib/dpkg/tmp.ci/preinst): Permission denied
dpkg: error processing archive /var/cache/apt/archives/exim4-base_4.94.2-7_amd64.deb (--unpack):
 new exim4-base package pre-installation script subprocess returned error exit status 2
dpkg (subprocess): unable to execute new exim4-base package post-removal script (/var/lib/dpkg/tmp.ci/postrm): Permission denied
dpkg: error while cleaning up:
 new exim4-base package post-removal script subprocess returned error exit status 2
Errors were encountered while processing:
 /var/cache/apt/archives/tzdata_2021a-1+deb11u1_all.deb
 /var/cache/apt/archives/exim4-config_4.94.2-7_all.deb
 /var/cache/apt/archives/exim4-base_4.94.2-7_amd64.deb

78E: Sub-process /usr/bin/dpkg returned an error code (1)
[?2004hroot@circa:~# exit
[?2004l
exit

Script done on 2021-10-05 15:48:17-04:00 [COMMAND_EXIT_CODE="100"]

>

Information forwarded to [email protected], Exim4 Maintainers <[email protected]>:
Bug#995793; Package exim4-base. (Tue, 05 Oct 2021 19:51:03 GMT) (full text, mbox, link).

Acknowledgement sent to S Egbert <[email protected]>:
Extra info received and forwarded to list. Copy sent to Exim4 Maintainers <[email protected]>. (Tue, 05 Oct 2021 19:51:03 GMT) (full text, mbox, link).

Information forwarded to [email protected], Exim4 Maintainers <[email protected]>:
Bug#995793; Package exim4-base. (Tue, 05 Oct 2021 20:00:03 GMT) (full text, mbox, link).

Acknowledgement sent to S Egbert <[email protected]>:
Extra info received and forwarded to list. Copy sent to Exim4 Maintainers <[email protected]>. (Tue, 05 Oct 2021 20:00:03 GMT) (full text, mbox, link).

Message #20 received at [email protected] (full text, mbox, reply):

From: S Egbert <[email protected]>
To: Steve Egbert <[email protected]>, [email protected]
Cc: Debian Bug Tracking System <[email protected]>
Subject: Re: Bug#995793: exim4-base: /tmp partition has noexec mount option; exim4-base fails
Date: Tue, 5 Oct 2021 15:57:15 -0400
workaround of removing ‘noexec’ from /tmp partition in /etc/fstab still doesn’t work.  

00 [TERM="linux" TTY="/dev/tty1" COLUMNS="80" LINES="25"]
[?2004hroot@circa:~# apt upgrade exim4-base
[?2004l

Reading package lists... 0%

Reading package lists... 100%

Reading package lists... Done


Building dependency tree... 0%

Building dependency tree... 0%

Building dependency tree... 50%

Building dependency tree... 50%

Building dependency tree... Done


Reading state information... 0% 

Reading state information... 0%

Reading state information... Done


Calculating upgrade... 0%

Calculating upgrade... 10%

Calculating upgrade... Done

The following packages were automatically installed and are no longer required:
  libevent-core-2.1-7 libevent-pthreads-2.1-7 libopts25 sntp
Use 'apt autoremove' to remove them.
The following packages will be upgraded:
  exim4-base exim4-config tzdata
3 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
8 not fully installed or removed.
Need to get 0 B/1,906 kB of archives.
After this operation, 2,784 kB of additional disk space will be used.
Do you want to continue? [Y/n] y
Reading changelogs... 25%
Reading changelogs... 50%
Reading changelogs... 100%
                          
Reading changelogs... Done
Preconfiguring packages ...

78(Reading database ... 
(Reading database ... 5%
(Reading database ... 10%
(Reading database ... 15%
(Reading database ... 20%
(Reading database ... 25%
(Reading database ... 30%
(Reading database ... 35%
(Reading database ... 40%
(Reading database ... 45%
(Reading database ... 50%
(Reading database ... 55%
(Reading database ... 60%
(Reading database ... 65%
(Reading database ... 70%
(Reading database ... 75%
(Reading database ... 80%
(Reading database ... 85%
(Reading database ... 90%
(Reading database ... 95%
(Reading database ... 100%
(Reading database ... 181409 files and directories currently installed.)
Preparing to unpack .../tzdata_2021a-1+deb11u1_all.deb ...
7Progress: [  0%] [..........................................................] 87Progress: [  5%] [##........................................................] 8Unpacking tzdata (2021a-1+deb11u1) over (2021a-1) ...
dpkg (subprocess): unable to execute old tzdata package post-removal script (/var/lib/dpkg/info/tzdata.postrm): Permission denied
dpkg: warning: old tzdata package post-removal script subprocess returned error exit status 2
dpkg: trying script from the new package instead ...
dpkg (subprocess): unable to execute new tzdata package post-removal script (/var/lib/dpkg/tmp.ci/postrm): Permission denied
dpkg: error processing archive /var/cache/apt/archives/tzdata_2021a-1+deb11u1_all.deb (--unpack):
 new tzdata package post-removal script subprocess returned error exit status 2
dpkg (subprocess): unable to execute new tzdata package post-removal script (/var/lib/dpkg/tmp.ci/postrm): Permission denied
dpkg: error while cleaning up:
 new tzdata package post-removal script subprocess returned error exit status 2
Preparing to unpack .../exim4-config_4.94.2-7_all.deb ...
7Progress: [ 10%] [#####.....................................................] 8dpkg (subprocess): unable to execute new exim4-config package pre-installation script (/var/lib/dpkg/tmp.ci/preinst): Permission denied
dpkg: error processing archive /var/cache/apt/archives/exim4-config_4.94.2-7_all.deb (--unpack):
 new exim4-config package pre-installation script subprocess returned error exit status 2
dpkg (subprocess): unable to execute new exim4-config package post-removal script (/var/lib/dpkg/tmp.ci/postrm): Permission denied
dpkg: error while cleaning up:
 new exim4-config package post-removal script subprocess returned error exit status 2
Preparing to unpack .../exim4-base_4.94.2-7_amd64.deb ...
7Progress: [ 14%] [########..................................................] 8dpkg (subprocess): unable to execute new exim4-base package pre-installation script (/var/lib/dpkg/tmp.ci/preinst): Permission denied
dpkg: error processing archive /var/cache/apt/archives/exim4-base_4.94.2-7_amd64.deb (--unpack):
 new exim4-base package pre-installation script subprocess returned error exit status 2
dpkg (subprocess): unable to execute new exim4-base package post-removal script (/var/lib/dpkg/tmp.ci/postrm): Permission denied
dpkg: error while cleaning up:
 new exim4-base package post-removal script subprocess returned error exit status 2
Errors were encountered while processing:
 /var/cache/apt/archives/tzdata_2021a-1+deb11u1_all.deb
 /var/cache/apt/archives/exim4-config_4.94.2-7_all.deb
 /var/cache/apt/archives/exim4-base_4.94.2-7_amd64.deb

78E: Sub-process /usr/bin/dpkg returned an error code (1)
[?2004hroot@circa:~# exit
[?2004l
exit

Script done on 2021-10-05 15:53:17-04:00 [COMMAND_EXIT_CODE="100"]


I still have “nosuid” and “nodev” mount options left but i won’t remove that.

Information forwarded to [email protected], Exim4 Maintainers <[email protected]>:
Bug#995793; Package exim4-base. (Tue, 05 Oct 2021 20:00:04 GMT) (full text, mbox, link).

Acknowledgement sent to S Egbert <[email protected]>:
Extra info received and forwarded to list. Copy sent to Exim4 Maintainers <[email protected]>. (Tue, 05 Oct 2021 20:00:04 GMT) (full text, mbox, link).

Information forwarded to [email protected], Exim4 Maintainers <[email protected]>:
Bug#995793; Package exim4-base. (Tue, 05 Oct 2021 20:09:08 GMT) (full text, mbox, link).

Acknowledgement sent to S Egbert <[email protected]>:
Extra info received and forwarded to list. Copy sent to Exim4 Maintainers <[email protected]>. (Tue, 05 Oct 2021 20:09:08 GMT) (full text, mbox, link).

Message #30 received at [email protected] (full text, mbox, reply):

From: S Egbert <[email protected]>
To: [email protected]
Subject: Re: Bug#995793: Info received (Bug#995793: exim4-base: /tmp partition has noexec mount option; exim4-base fails)
Date: Tue, 5 Oct 2021 16:07:05 -0400
Actual workaround is to remove ‘noexec” from both /tmp and /var. Tested it working without “noexec” mount options on ‘apt upgrade exim4-base’ to versio ‘4.94.2-7’

This makes it like a major work-stoppage of dealing with 1,000s of those hardened Debian systems. 

> On Oct 5, 2021, at 4:00 PM, Debian Bug Tracking System <[email protected]> wrote:
> 
> Thank you for the additional information you have supplied regarding
> this Bug report.
> 
> This is an automatically generated reply to let you know your message
> has been received.
> 
> Your message is being forwarded to the package maintainers and other
> interested parties for their attention; they will reply in due course.
> 
> Your message has been sent to the package maintainer(s):
> Exim4 Maintainers <[email protected]>
> 
> If you wish to submit further information on this problem, please
> send it to [email protected].
> 
> Please do not send mail to [email protected] unless you wish
> to report a problem with the Bug-tracking system.
> 
> -- 
> 995793: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=995793
> Debian Bug Tracking System
> Contact [email protected] with problems

Information forwarded to [email protected], Exim4 Maintainers <[email protected]>:
Bug#995793; Package exim4-base. (Wed, 06 Oct 2021 12:09:02 GMT) (full text, mbox, link).

Acknowledgement sent to Marc Haber <[email protected]>:
Extra info received and forwarded to list. Copy sent to Exim4 Maintainers <[email protected]>. (Wed, 06 Oct 2021 12:09:02 GMT) (full text, mbox, link).

Message #35 received at [email protected] (full text, mbox, reply):

From: Marc Haber <[email protected]>
To: S Egbert <[email protected]>, [email protected]
Subject: Re: Bug#995793: exim4-base: /tmp partition has noexec mount option; exim4-base fails
Date: Wed, 6 Oct 2021 14:08:13 +0200
On Tue, Oct 05, 2021 at 03:49:58PM -0400, S Egbert wrote:
> Can't exec "/tmp/tzdata.config.jtoGAt": Permission denied at /usr/lib/x86_64-linux-gnu/perl-base/IPC/Open3.pm line 178.

This is most obviously not a script that comes from the exim4 package.
Consider talking to the tzdata maintainers instead.

> dpkg (subprocess): unable to execute old tzdata package post-removal script (/var/lib/dpkg/info/tzdata.postrm): Permission denied
> dpkg: warning: old tzdata package post-removal script subprocess returned error exit status 2
> dpkg: trying script from the new package instead ...
> dpkg (subprocess): unable to execute new tzdata package post-removal script (/var/lib/dpkg/tmp.ci/postrm): Permission denied
> dpkg: error processing archive /var/cache/apt/archives/tzdata_2021a-1+deb11u1_all.deb (--unpack):
>  new tzdata package post-removal script subprocess returned error exit status 2

This looks like dpkg is trying to execute maintainer scripts. It
obviously does that inside /var/lib/dpkg/info. This is nothing that
exim4 can do anything about. Consider talking to the dpkg maintainers
instead.

> 7Progress: [ 10%] [#####.....................................................] 8dpkg (subprocess): unable to execute new exim4-config package pre-installation script (/var/lib/dpkg/tmp.ci/preinst): Permission denied
> dpkg: error processing archive /var/cache/apt/archives/exim4-config_4.94.2-7_all.deb (--unpack):
>  new exim4-config package pre-installation script subprocess returned error exit status 2

Same thing here.

I intend to close this bug report by the end of this week unless
somebody has convinced me that there is anything that the exim4
package can do about.

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Leimen, Germany    |  lose things."    Winona Ryder | Fon: *49 6224 1600402
Nordisch by Nature |  How to make an American Quilt | Fax: *49 6224 1600421

Information forwarded to [email protected], Exim4 Maintainers <[email protected]>:
Bug#995793; Package exim4-base. (Wed, 06 Oct 2021 17:12:03 GMT) (full text, mbox, link).

Acknowledgement sent to Andreas Metzler <[email protected]>:
Extra info received and forwarded to list. Copy sent to Exim4 Maintainers <[email protected]>. (Wed, 06 Oct 2021 17:12:03 GMT) (full text, mbox, link).

Message #40 received at [email protected] (full text, mbox, reply):

From: Andreas Metzler <[email protected]>
To: S Egbert <[email protected]>, [email protected]
Subject: Re: Bug#995793: Info received (Bug#995793: exim4-base: /tmp partition has noexec mount option; exim4-base fails)
Date: Wed, 6 Oct 2021 19:09:02 +0200
Control: severity -1 normal
Control: reassign -1 apt
Control: forcemerge 546911 995793

On 2021-10-05 S Egbert <[email protected]> wrote:
> Actual workaround is to remove ‘noexec” from both /tmp and /var.
> Tested it working without “noexec” mount options on ‘apt upgrade
> exim4-base’ to versio ‘4.94.2-7’

> This makes it like a major work-stoppage of dealing with 1,000s of
> those hardened Debian systems. 
[...]

Hello,

Mounting /var noexec is not supported. For noexec /tmp you will need to
point APT::ExtractTemplates::TempDir to an directory which is not
located on a noexec mount.

cu Andreas

Severity set to 'normal' from 'grave' Request was from Andreas Metzler <[email protected]> to [email protected]. (Wed, 06 Oct 2021 17:12:03 GMT) (full text, mbox, link).

Bug reassigned from package 'exim4-base' to 'apt'. Request was from Andreas Metzler <[email protected]> to [email protected]. (Wed, 06 Oct 2021 17:12:04 GMT) (full text, mbox, link).

No longer marked as found in versions exim4/4.94.2-7. Request was from Andreas Metzler <[email protected]> to [email protected]. (Wed, 06 Oct 2021 17:12:04 GMT) (full text, mbox, link).

Marked as found in versions apt/0.7.23.1 and apt/1.8.1. Request was from Andreas Metzler <[email protected]> to [email protected]. (Wed, 06 Oct 2021 17:12:05 GMT) (full text, mbox, link).

Merged 546911 995793 Request was from Andreas Metzler <[email protected]> to [email protected]. (Wed, 06 Oct 2021 17:12:06 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <[email protected]>. Last modified: Tue May 13 08:44:06 2025; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.