Join Log in
Score:1
ZappedC64 avatar Ubuntu

Install packages on systems with secured /tmp and /var (noexec)

tv flag
ZappedC64

I have a group of Ubuntu servers that needs to secured to the DISA (or USGCB) baseline. Part of that process is to set the /tmp and /var mounts to noexec and nosuid.

It looks like once I do that, the apt installer is trying to run programs from /tmp and /var, and getting access denied errors.

What is the best way to configure apt to use some other directory for installing new and updated packages?

440
1 + 0
apt
Score:0
DynamicBits avatar Ubuntu
in flag
DynamicBits

Move the apt cache

Make the new directory (and a partial directory within):

mkdir -p /my/new/cache/partial

And then add the below line referencing that directory in either:

  1. a new config file in /etc/apt/apt.conf.d/ or

  2. The old /etc/apt/apt.conf file (which you will most likely have to create)

    Dir::Cache::Archives "/my/new/cache";

Move /var/lib/dpkg

Prepare the new directory:

mkdir -p /my/new/varlibdpkg
sudo cp -r --preserve /var/lib/dpkg/* /my/new/varlibdpkg/

Set the following in /etc/dpkg/dpkg.cfg:

admindir=/my/new/varlibdpkg

Add the following line to /etc/apt/apt.conf

Dir::State::status "/my/new/varlibdpkg/status";

Note: One could technically remount /var/lib/dpkg/ instead of moving the directory.

Remount or move /tmp

Packages requiring an executable /tmp is arguably a bug that you'll have to work around. To do that, you have two options:

1. Remount /tmp (just when dpkg runs)

Add these lines to whichever apt conf file you decided to use:

DPkg::Pre-Install-Pkgs {"mount -o remount,exec /tmp";};
DPkg::Post-Invoke {"mount -o remount /tmp";};

2. Move /tmp (just for apt)

Create a new temp directory and add the following line to whichever apt conf file you decided to use:

APT::ExtractTemplates::TempDir "/my/new/tmp";

Additional notes:

Check values with apt-config:

  • apt-config shell archivesDir Dir::Cache::Archives
  • apt-config shell AdminDir Dir::State::status
  • apt-config shell tmpdir APT::ExtractTemplates::TempDir (No result by default)
+ 7
ZappedC64 avatar
tv flag
ZappedC64
Moving the aptcache seems to have worked. I see the downloaded deb files in the new cache folder. I took option two to move temp for apt. That part doesn't seem to work. These are the errors I see: 'dpkg (subprocess): unable to execute old python3-future package pre-removal script (/var/lib/dpkg/info/python3-future.prerm): Permission denied dpkg: warning: old python3-future package pre-removal script subprocess returned error exit status 2'
0
Reply
DynamicBits avatar
in flag
DynamicBits
Could you add the full output from your attempt to install that package to the original question (so it's formatted)?
0
Reply
ZappedC64 avatar
tv flag
ZappedC64
Unfortunately a mod named Thomas Ward deleted my reply with the formatting. I'm not sure why. From from I can tell, it looks like dpkg is getting hung up on trying to executing in '/var/lib/dpkg/info'. Maybe I need to relocate '/var/lib/dpkg/info' or have dpkg use some other directory for its work?
0
Reply
DynamicBits avatar
in flag
DynamicBits
I completely overlooked /var/lib/dpkg/ in my initial answer. See my new edit. Also, now that I've looked over everything again, I am not convinced the apt cache needs to be moved in your situation.
0
Reply
ZappedC64 avatar
tv flag
ZappedC64
I think that we are almost there. Getting an error after running 'apt update': 'Reading package lists... Error! E: Read error - read (21: Is a directory) E: The package lists or status file could not be parsed or opened.'
0
Reply
DynamicBits avatar
in flag
DynamicBits
Oops! Remove /my/new/varlibdpkg/status/ - It should not be a directory. Make sure to copy the original file (/var/lib/dpkg/status) in its place since it was not copied before.
0
Reply
ZappedC64 avatar
tv flag
ZappedC64
That fixed it! I'm surprised Ubuntu doesn't have this in their FAQ or some sort of security guide. The process is much more simple with RHEL. Thank you again for your help.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.