I mount /tmp with nodev, nosuid, and noexec options to increase the security of my Linux based web server. And, whenever I ran apt-get install or apt-get upgrade command, I am getting the following error:

apt-get install linux-generic linux-headers-generic linux-image-generic

…..

….

..

Generating grub.cfg …

Found linux image: /boot/vmlinuz-3.2.0-43-generic

Found initrd image: /boot/initrd.img-3.2.0-43-generic

….

ldconfig deferred processing now taking place

Processing triggers for initramfs-tools …

update-initramfs: Generating /boot/initrd.img-3.2.0-43-generic

W: TMPDIR is mounted noexec, will not cache run scripts.

….

…

How do I fix this problem without compromising security of the data or web-server?

 

You can make /tmp non-executable by setting the following two flags in /etc/fstab file:

noexec – Do not allow direct execution of any binaries or scripts on the mounted filesystem at /tmp.

nosuid – Do not allow SUID or SGID bits to take effect.

nodev – Do not interpret character or block special devices on the file system.

This will safeguard your server against various attacks. But, apt-get upgrade command may fail with the following message:

W: TMPDIR is mounted noexec, will not cache run scripts.

 

apt-get command use /tmp to place scripts and scripts can not execute due to noexec flag on /tmp. To fix your problem edit or create the file /etc/apt/apt.conf (, enter:

# vi /etc/apt/apt.conf

 

OR

$ sudo vi /etc/apt/apt.conf

 

Sample outputs:

DPkg::Pre-Invoke{ mount -o remount,exec /tmp ;};

DPkg::Post-Invoke { mount -o remount,rw,noexec,nosuid,nodev /tmp ;};

Save and close the file. The apt.conf is the main configuration file for the APT suite of tools. The commands are invoked in order using /bin/sh, should any fail APT will abort. Where,

DPkg::Pre-Invoke{ mount -o remount,exec /tmp ;}; – This is a list of shell commands to run before dpkg command. In this example, remove noexec flag from /tmp, so that script can get executed.

DPkg::Post-Invoke { mount -o remount,rw,noexec,nosuid,nodev /tmp ;}; – This is a list of shell commands to run after dpkg. In this example, set noexec and other security flag on /tmp

How do I reinstall and rexecute packages again?

Once you applied the solution as describe above, you can just reinstall the package as follows to run the scripts:

$ sudo apt-get –reinstall install linux-generic linux-headers-generic linux-image-generic

 

In this example,

First, mount -o remount,exec /tmp command will run by apt-get as defined in apt.conf to relax permission on /tmp.

Next, your actual apt-get/dpkg command will get executed to reinstall kernel packages.

Finally mount -o remount,rw,noexec,nosuid,nodev /tmp command will run by apt-get to secure your /tmp.

See also

Man pages – apt.conf(5),apt-get(8),dpkg(1)