| View previous topic :: View next topic |
| Author |
Message |
egberts
Guru
Joined: 04 Nov 2003
Posts: 357
Location: Dimmed Cathode Ray Tube
|
 Posted: Sat Oct 01, 2022 5:41 pm Post subject: [SOLVED] emerge: can not execute files in /var/tmp |
 |
|
I attempt the first boot after stage 3 installation of Gentoo 2022 Live CD.
And got this error after root loginr:
| Code: | # emerge media-fonts/terminum-font
...
>>> Emerging (1 of 3) x11-base/xorg-proto-2022.1::gentoo
Can not execute files in /var/tmp
Likely cause is that you've mounted it with one of the
foiillowing mount options: 'noexecv', 'usr', 'users'
Please make sure that portage can execute files in this directory |
Because of increasing security concerns, /var/tmp is getting the lock down across enterprises into not supporting executable (noexec) mount option. Even STIG rule SV-230521r627750_rule says so.
My /etc/fstab is:
| Code: |
/dev/sda1 /boot vfat noauto,rw,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=iso8859-1,shortname=mixed,errors=remounte-ro 1 1
/dev/sda2 swap swap defaults,sw 0 0
/dev/sda3 /root ext4 defaults,noatime,errors=remount-ro,rw 0 1
/dev/mapper/vg_os-lv_tmp /tmp ext4 defaults,nosuid,nodev,rw,relatime 0 2
/dev/mapper/vg_os-lv_usr /usr ext4 defaults,nodev,rw,relatime 0 2
/dev/mapper/vg_os-lv_var /var ext4 defaults,nosuid,nodev,rw,relatime 0 2
/dev/mapper/vg_os-lv_var_tmp /var/tmp ext4 defaults,noexec,nosuid,nodev,rw,relatime 0 2
/dev/mapper/vg_log-lv_var_log /var/log ext4 defaults,noexec,nosuid,nodev,rw,relatime 0 3
/dev/mapper/vg_log-lv_var_log_audit /var/log/audit ext4 defaults,noexec,nosuid,nodev,fmask=0022,dmask=0022,rw,relatime 0 4
/dev/mapper/vg_os-lv_home /home ext4 defaults,rw,relatime 0 2
|
Workaround:
Perhaps expand the error message to say something like:
| Code: |
Or define the tmp directory for emerge/portage elsewhere using PORTAGE_TMPDIR envvar.
|
I think this should be a bug on portage/emerge's part to be executing files in temporary directories. What do you say?
Reference:
* https://www.stigviewer.com/stig/red_hat_enterprise_linux_8/2021-06-14/finding/V-230521
_________________
Clusters of Fry's Special, AMD 2200, 2 GB DDR, 220 GB (2008.1/desktop, stage 1, -O3) x8
HP Compaq Fry's SPecial, AMD 2100, 2 GB DDR, 260 GB (2008.0/server, stage 1, -O3)
Ultra Sparc 5, 256MB, 3GB (2006.1/server, stage 1, -O3)
Last edited by egberts on Sun Oct 02, 2022 5:00 pm; edited 1 time in total |
|
| Back to top |
|
 |
alamahant
Advocate
Joined: 23 Mar 2019
Posts: 3879
|
| Posted: Sat Oct 01, 2022 6:15 pm Post subject: |
|
|
Portage unlike yum is a from-source package manager.
It will extract source files from /var/cache/distfiles to $PORTAGE_TMPDIR often /var/tmp/portage on which a tmpfs is mounted.
Of course it needs exec.It has to run all kinds configure, build and install scripts that may contain,invoke or link to binary executables.
| Quote: |
Because of increasing security concerns, /var/tmp is getting the lock down across enterprises into not supporting executable (noexec) mount option. Even STIG rule SV-230521r627750_rule says so.
|
Yes but they are all binary distros no?
You can mount tmpfs' on both /var/tmp and /var/tmp/portage like this
| Code: |
tmpfs /var/tmp tmpfs rw,nosuid,noatime,nodev,size=4G,mode=1777 0 0
tmpfs /var/tmp/portage tmpfs rw,nosuid,noatime,nodev,size=4G,mode=775,uid=portage,gid=portage,x-mount.mkdir=775 0 0
|
I am not sure how it will behave but maybe you can set noexec on /var/tmp.
_________________
 |
|
| Back to top |
|
|
pingtoo
l33t
Joined: 10 Sep 2021
Posts: 926
Location: Richmond Hill, Canada
|
| Posted: Sat Oct 01, 2022 6:35 pm Post subject: |
|
|
I don't think this is a bug for Gentoo.
I think if one think a STIG (Security Technical Implementation Guide) is required for Gentoo. It should written specific for Gentoo, since many Gentoo practice are unique to Source build distribution. Taking a binary distribution STIG try to apply to Gentoo is unfair.
Taking this case as example, I would imagine a different Gentoo Handbook specific with STIG in mind would have a section for /etc/portage/make.conf that describe how to setup a dedicated directory for Portage with correct ownership as well as permission. that have PORTAGE_TMPDIR point to it. |
|
| Back to top |
|
|
Hu
Moderator
Joined: 06 Mar 2007
Posts: 21630
|
| Posted: Sat Oct 01, 2022 8:10 pm Post subject: |
|
|
| Setting /var/tmp as noexec and arranging for Portage to use a filesystem that is not noexec works fine. It would be useful if Portage could build in a noexec filesystem, since that would also mean that cross-compilation (which cannot execute its own binaries) would work. However, that would be a huge undertaking spanning likely hundreds of packages. Many build systems assume they can run their build scripts as ./command (rather than as /path/to/interpreter ./command), but quite a few go further and also assume they can build a program and then immediately run it. I think trying to make this work would be infeasible, and many upstream projects might refuse the required patches to their build systems on the grounds that it works fine if you don't use noexec. |
|
| Back to top |
|
|
egberts
Guru
Joined: 04 Nov 2003
Posts: 357
Location: Dimmed Cathode Ray Tube
|
| Posted: Sat Oct 01, 2022 11:17 pm Post subject: |
|
|
| alamahant wrote: |
You can mount tmpfs' on both /var/tmp and /var/tmp/portage like this
| Code: |
tmpfs /var/tmp tmpfs rw,nosuid,noatime,nodev,size=4G,mode=1777 0 0
tmpfs /var/tmp/portage tmpfs rw,nosuid,noatime,nodev,size=4G,mode=775,uid=portage,gid=portage,x-mount.mkdir=775 0 0
|
I am not sure how it will behave but maybe you can set noexec on /var/tmp. |
ummm, /var (thus implied that /var/tmp) must contain persistent data across reboot thereby tmpfs filesystem is no longer suitable.
/tmp, however, is not persistent and would positively benefit from using tmpfs.
as least that is what the prevaling wind is blowing toward to.
_________________
Clusters of Fry's Special, AMD 2200, 2 GB DDR, 220 GB (2008.1/desktop, stage 1, -O3) x8
HP Compaq Fry's SPecial, AMD 2100, 2 GB DDR, 260 GB (2008.0/server, stage 1, -O3)
Ultra Sparc 5, 256MB, 3GB (2006.1/server, stage 1, -O3)
Last edited by egberts on Sat Oct 01, 2022 11:27 pm; edited 2 times in total |
|
| Back to top |
|
|
egberts
Guru
Joined: 04 Nov 2003
Posts: 357
Location: Dimmed Cathode Ray Tube
|
| Posted: Sat Oct 01, 2022 11:21 pm Post subject: |
|
|
| Hu wrote: | | Setting /var/tmp as noexec and arranging for Portage to use a filesystem that is not noexec works fine. It would be useful if Portage could build in a noexec filesystem, since that would also mean that cross-compilation (which cannot execute its own binaries) would work. However, that would be a huge undertaking spanning likely hundreds of packages. Many build systems assume they can run their build scripts as ./command (rather than as /path/to/interpreter ./command), but quite a few go further and also assume they can build a program and then immediately run it. I think trying to make this work would be infeasible, and many upstream projects might refuse the required patches to their build systems on the grounds that it works fine if you don't use noexec. |
I agree. Too much refitting work for Gentoo.
So, I should stick with the PORTAGE_TMPDIR onto a partition that allows exec. What is the Gentoo trend here?
/var/portage (leveraging the current fstab mount options and its absence of an noexec option, thus meaning allowing executables) OR
/var/tmp/portage as a separate (4-level directory deep) partition but without noexec mount option
_________________
Clusters of Fry's Special, AMD 2200, 2 GB DDR, 220 GB (2008.1/desktop, stage 1, -O3) x8
HP Compaq Fry's SPecial, AMD 2100, 2 GB DDR, 260 GB (2008.0/server, stage 1, -O3)
Ultra Sparc 5, 256MB, 3GB (2006.1/server, stage 1, -O3)
Last edited by egberts on Sat Oct 01, 2022 11:37 pm; edited 2 times in total |
|
| Back to top |
|
|
egberts
Guru
Joined: 04 Nov 2003
Posts: 357
Location: Dimmed Cathode Ray Tube
|
| Posted: Sat Oct 01, 2022 11:25 pm Post subject: |
|
|
| pingtoo wrote: | | Taking a binary distribution STIG try to apply to Gentoo is unfair. |
Right. It is an enterprise issue to deal with imposing STIG on others. Notably toward the hardened Gentoo. But it makes adoption rate of Gentoo a bit lower on that enterprise front.
Oh right, CISecurity also mentioned /var/tmp partition as having noexec mount option as well.
_________________
Clusters of Fry's Special, AMD 2200, 2 GB DDR, 220 GB (2008.1/desktop, stage 1, -O3) x8
HP Compaq Fry's SPecial, AMD 2100, 2 GB DDR, 260 GB (2008.0/server, stage 1, -O3)
Ultra Sparc 5, 256MB, 3GB (2006.1/server, stage 1, -O3) |
|
| Back to top |
|
|
Hu
Moderator
Joined: 06 Mar 2007
Posts: 21630
|
| Posted: Sun Oct 02, 2022 12:59 am Post subject: |
|
|
| egberts wrote: | | ummm, /var (thus implied that /var/tmp) must contain persistent data across reboot thereby tmpfs filesystem is no longer suitable. |
alamahant did not suggest to use a tmpfs for /var. Just because / must contain persistent data does not mean that all directories under / likewise must be persistent. Mounting a tmpfs for /var/tmp works fine for me. I cannot say whether it will work for everyone. | egberts wrote: | So, I should stick with the PORTAGE_TMPDIR onto a partition that allows exec. What is the Gentoo trend here? /var/tmp/portage as a separate (4-level directory deep) partition but without noexec mount option |
I mount a separate tmpfs on /var/tmp/portage, and that tmpfs is exec, even though /var/tmp is noexec. |
|
| Back to top |
|
|
NeddySeagoon
Administrator
Joined: 05 Jul 2003
Posts: 54236
Location: 56N 3W
|
| Posted: Sun Oct 02, 2022 9:29 am Post subject: |
|
|
egberts,
Portage needs some executable build space to build.
In the enterprise, building and deployment of gentoo are separated as its a really bad idea to build and install on production systems.
Enterprise users build and test offline, then when they are happy, deploy the binaries.
Gentoo is used in the enterprise like a do it yourself binary distro.
_________________
Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
| Back to top |
|
|
pietinger
Moderator
Joined: 17 Oct 2006
Posts: 4148
Location: Bavaria
|
| Posted: Sun Oct 02, 2022 11:19 am Post subject: |
|
|
Sorry, I dont understand the problem from PO (maybe due to my poor school english).
If someone want to mount /var/tmp with NOEXEC this is completely fine. Then mount /var/tmp/portage either as:
a) tmpfs as @alamahant already described in the 2nd post (it is not necessary to mount /var/tmp also as tmpfs)(and @Hu also does)(and I also do), OR
b) another partition with execution allowed (I also dont understand why this should be "4-level directory deep" ?)
Only problem I ever had was my misunderstanding of PORTAGE_TMPDIR in my make.conf. If you set it to: PORTAGE_TMPDIR="/var/tmp/portage/" you will have /var/tmp/portage/portage/ ...  |
|
| Back to top |
|
|
Leonardo.b
Apprentice
Joined: 10 Oct 2020
Posts: 296
|
| Posted: Sun Oct 02, 2022 12:40 pm Post subject: |
|
|
https://refspecs.linuxfoundation.org/FHS_3.0/fhs-3.0.txt
| FHS wrote: | 5.15. /var/tmp : Temporary files preserved between system reboot
5.15.1. Purpose
The /var/tmp directory is made available for programs that require temporary files or directories that are preserved between system reboots. [...] Files and directories located in /var/tmp must not be deleted when the system is booted. [...] |
I symlink /var/tmp -> /tmp.
It works ok, in my experience, despite nothing is preserved across reboots. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Installing Gentoo
