On Aug 21, 2014 5:53 AM, "jcbollinger" <john.bollin...@stjude.org> wrote:
> No new parameter, but you could also repackage your RPM so that it
handles the permissions of /tmp itself.
I suspect that would conflict with the package that already owns /tmp
("basefiles" or whatever it's called).
It might be possible to remount with and then without exec in the pre and
post install scripts. To avoid modifying the original package, it might be
possible to use a "wrapper" package that is nothing but the scripts &
dependency, exploiting the transactional ordering that the scripts would
run in. (If my memory of how that works is accurate.)
> By the way, what's the point of mounting /tmp non-executable? I mean, I
know in general what the effect is, but why is that desirable for /tmp?
It's not uncommon for non-root exploit scripts to upload and run their
payload from /tmp, as it is generally available.
Another alternative depending on your platform might be some of the
namespace stuff that later Linux kernels support and use that to provide a
private /tmp to that package installer. I'm not sure how feasible or even
possible that is.
Wil
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/CAMmm3r4oUzxaEAGeLHohb20f%2B%3DfCJFYWa%3DZxFTrVQicJhZS-MQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
