tech-pkg archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: pkg_add problem with nosuid on /var



On Nov 12, 2012, at 18:35 , Daniel Horecki wrote:
> Fredrik Pettai <pettai%nordu.net@localhost> writes:
>> Hi,
>> 
>> I installed a new server, and tested to add some extra security precautions 
>> to the mounted filesystems.
>> Then I started to use pkgin to install the basic stuff, it didn't work 
>> anymore...
>> 
>> Ex.
>> 
>> server# pkgin in bash
>> calculating dependencies... done.
>> 
>> nothing to upgrade.
>> 1 packages to be installed: bash-4.2nb2 (0B to download, 3897K to install)
>> 
>> proceed ? [Y/n] y
>> downloading packages...
>> installing packages...
>> installing bash-4.2nb2...
>> pkg_install warnings: 0, errors: 1
>> pkg_install error log can be found in /var/db/pkgin/pkg_install-err.log
>> 
>> server# more /var/db/pkgin/pkg_install-err.log
>> ---Nov 12 12:59:37: installing bash-4.2nb2...
>> pkg_add: exec of install script failed: Permission denied
>> pkg_add: 1 package addition failed
>> 
>> server# mount
>> /dev/sd0a on / type ffs (local)
>> /dev/sd0f on /var type ffs (log, noexec, nosuid, local)
>> /dev/sd0e on /usr type ffs (log, local)
>> /dev/sd0g on /home type ffs (log, nosuid, local)
>> kernfs on /kern type kernfs (local)
>> ptyfs on /dev/pts type ptyfs (local)
>> procfs on /proc type procfs (local)
>> 
>> Repeat the pkg_add commando:
>> 
>> server# pkg_add /var/db/pkgin/cache/bash-4.2nb2.tgz
>> pkg_add: exec of install script failed: Permission denied
>> pkg_add: 1 package addition failed
>> 
>> server# cp /var/db/pkgin/cache/bash-4.2nb2.tgz /home/
>> 
>> server# pkg_add /home/bash-4.2nb2.tgz
>> pkg_add: exec of install script failed: Permission denied
>> pkg_add: 1 package addition failed
>> 
>> So pkg_add does setuid operations in /var. I understand that it's critical 
>> for pkg_add and friends to work today.
>> But in the long term, would it be possible to make pkg_add and friend to 
>> perform their job without requiring setuid operations in /var? 
> 
> I guess it's more about noexec than nosuid.
> It cannot execute +INSTALL script from /var/db/pkg/bash-4.2nb2/.

Yes, you're right, I was a bit trigger-happy on the send button.
But still, could this be (re)designed so noexec could be used on /var in a good 
way?

/P


Home | Main Index | Thread Index | Old Index