Re: Errors installing/updating postgresql when /tmp has noexec

Re: Don Seiler
> > Preconfiguring packages ...
> > Can't exec "/tmp/postgresql-15.config.rOsJHJ": Permission denied at
> > /usr/lib/x86_64-linux-gnu/perl-base/IPC/Open3.pm line 178. open2: exec of
> > /tmp/postgresql-15.config.rOsJHJ configure 15.8-1.pgdg22.04+1 failed:
> > Permission denied at /usr/share/perl5/Debconf/ConfModule.pm line 59.

This is failing in debconf, a standard Debian tool.

> > However, I'm wondering if this is something that's better changed in the
> > packaging. Setting noexec on /tmp (and /var) is a standard CIS/DISA
> > security requirement now.

TBH, I doubt that it is standard practice because this change will
make any debconf-using package explode on installation. If at all,
it's optional extra hardening above standard where extra configuration
steps are expected.

> For what it's worth, setting this apt config to specify a non-/tmp path
> works around the problem:
> 
> $ cat /etc/apt/apt.conf.d/99tempdir.conf
> APT::ExtractTemplates::TempDir "/some/other/tmp";

You will have to include this workaround on all machines.

> However it seems like we still shouldn't be trying to exec from /tmp by
> default either. In the meantime we'll see how best to quickly deploy this
> workaround to our fleet of machines.

If you want to get this supported by default, work with Debian and/or
Ubuntu to get debconf updated. But this won't fix your 22.04 Ubuntu.

Christoph