Re: [Chicken-hackers] [Chicken-janitors] #1218: chicken-install may fail if TMPDIR is mounted noexec (depending on setup-file details)

[John Cowan]

On Sun, Apr 23, 2017 at 8:04 AM, Peter Bex <address@hidden> wrote:

On Sun, Apr 23, 2017 at 01:52:53PM +0200, address@hidden wrote:
> Sorry, I lost the context for this discussion - what exactly is the problem here?  

Basically, if /tmp is mounted noexec, installing an egg like
coops that builds two modules, one of which loads the other,
this will fail because you can't dlopen() a .so file on noexec
mounts.

The wider context is that many attacks on Linux systems install executables into /tmp (which is guaranteed writable), and setting the /tmp filesystem noexec blocks such attacks in a simple way.  It's now considered a bug in Debian packages to put executables in /tmp, and I expect the idea will spread to other Linux distros. 

In general, nothing should be both writable and executable. 

-- 

John Cowan          http://vrici.lojban.org/~cowan        address@hidden

If you have ever wondered if you are in hell, it has been said, then

you are on a well-traveled road of spiritual inquiry.  If you are

absolutely sure you are in hell, however, then you must be on the Cross

Bronx Expressway.  --Alan Feuer, New York Times, 2002-09-20