Subject: Re: running (DE)INSTALL scripts vs. noexec mounted /var
To: None <>
From: Martin Weber <>
List: tech-pkg
Date: 11/09/2001 22:04:52
On Fri, Nov 09, 2001 at 05:11:27PM +0100, Hubert Feyrer wrote:
> [...]
> 	if (script exists) {
> 		sh script someargs
> 	}
> The implications are that
>  * /var can be mounted noexec
>  * The scripts MUST be /bin/sh scripts, no executables, perl scripts etc.
>    allowed.

Well, I don't know perl too well, but assume my deinstall script used
tcl, I would rewrite it from 

#! /path/to/tclsh


#! /bin/sh
# or even nothing \
	exec tclsh "$0" "$@"

This way you can call it with sh <scriptfile>, and it should work
even with /var mounted noexec, because the interpreter resides
somewhere else than in /var.

So the final implication, if I did not miss anything, is:

* /var can be mounted noexec
* The scripts using another interpreter than /bin/sh must be rewritten
  to fit the scheme their interpreter uses for sh-wrappers (see above)
* Binary DEINSTALLs are no longer feasable.

Martin Weber