tech-pkg archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: pkg_add problem with nosuid on /var



Fredrik Pettai <pettai%nordu.net@localhost> writes:

> Hi,
>
> I installed a new server, and tested to add some extra security precautions 
> to the mounted filesystems.
> Then I started to use pkgin to install the basic stuff, it didn't work 
> anymore...
>
> Ex.
>
> server# pkgin in bash
> calculating dependencies... done.
>
> nothing to upgrade.
> 1 packages to be installed: bash-4.2nb2 (0B to download, 3897K to install)
>
> proceed ? [Y/n] y
> downloading packages...
> installing packages...
> installing bash-4.2nb2...
> pkg_install warnings: 0, errors: 1
> pkg_install error log can be found in /var/db/pkgin/pkg_install-err.log
>
> server# more /var/db/pkgin/pkg_install-err.log
> ---Nov 12 12:59:37: installing bash-4.2nb2...
> pkg_add: exec of install script failed: Permission denied
> pkg_add: 1 package addition failed
>
> server# mount
> /dev/sd0a on / type ffs (local)
> /dev/sd0f on /var type ffs (log, noexec, nosuid, local)
> /dev/sd0e on /usr type ffs (log, local)
> /dev/sd0g on /home type ffs (log, nosuid, local)
> kernfs on /kern type kernfs (local)
> ptyfs on /dev/pts type ptyfs (local)
> procfs on /proc type procfs (local)
>
> Repeat the pkg_add commando:
>
> server# pkg_add /var/db/pkgin/cache/bash-4.2nb2.tgz
> pkg_add: exec of install script failed: Permission denied
> pkg_add: 1 package addition failed
>
> server# cp /var/db/pkgin/cache/bash-4.2nb2.tgz /home/
>
> server# pkg_add /home/bash-4.2nb2.tgz
> pkg_add: exec of install script failed: Permission denied
> pkg_add: 1 package addition failed
>
> So pkg_add does setuid operations in /var. I understand that it's critical 
> for pkg_add and friends to work today.
> But in the long term, would it be possible to make pkg_add and friend to 
> perform their job without requiring setuid operations in /var? 
>

I guess it's more about noexec than nosuid.
It cannot execute +INSTALL script from /var/db/pkg/bash-4.2nb2/.

> Re,
> /P
>

-- 
Daniel Horecki
http://morr.pl http://linux.pl http://netbsd.pl http://netbsd.org
HAIL ERIS!
BOFH since 1999.


Home | Main Index | Thread Index | Old Index