Auto Remounting with Apt

On most of my Internet facing Linux systems I have /tmp as a separate file system. I do this primarily so that I can set noexec and nosuid on the file system. While that won’t stop a real intruder it will slow down or stop script kiddies and worms.

This causes a minor issue with Debian. When I upgrade packages I’ve noticed that many packages create scripts in /tmp and try to execute them. That, of course, fails with noexec set on the file system. For a while I’ve been forcing myself to remember to remount /tmp prior to upgrading. This is error prone and I knew there must be a better way. Today I took the time to find a better way.

Apt is highly configurable but you’d never know it because you almost never need to changes default settings — at least that’s been my experience. Browsing through /usr/share/doc/apt/examples/configure-index.gz I found what I was looking for. You can specify shell code to run before and after apt invokes dpkg. I created a file /etc/apt/apt.conf.d/99local where I placed the following:

// Auto re-mounting of /tmp
Pre-Invoke {"mount -o remount,exec,suid /tmp";};
Post-Invoke {"mount -o remount,noexec,nosuid /tmp";};

Now I don’t have to remember to remount anything. This is also useful if you wanted to keep things like /usr/bin mounted readonly.

This entry was posted in Geek, Tips. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s