I mount /tmp with nodev, nosuid, and noexec options to increase the security of my Linux based web server. And, whenever I ran apt-get install or apt-get upgrade command, I am getting the following error:

apt-get install linux-generic linux-headers-generic linux-image-generic
Generating grub.cfg ...
Found linux image: /boot/vmlinuz-3.2.0-43-generic
Found initrd image: /boot/initrd.img-3.2.0-43-generic
ldconfig deferred processing now taking place
Processing triggers for initramfs-tools ...
update-initramfs: Generating /boot/initrd.img-3.2.0-43-generic
W: TMPDIR is mounted noexec, will not cache run scripts.

How do I fix this problem without compromising security of the data or web-server?

Tutorial details
Difficulty Easy (rss)
Root privileges Yes
Requirements None
Time 2m
You can make /tmp non-executable by setting the following two flags in /etc/fstab file:
  1. noexec – Do not allow direct execution of any binaries or scripts on the mounted filesystem at /tmp.
  2. nosuid – Do not allow SUID or SGID bits to take effect.
  3. nodev – Do not interpret character or block special devices on the file system.

This will safeguard your server against various attacks. But, apt-get upgrade command may fail with the following message:
W: TMPDIR is mounted noexec, will not cache run scripts.
apt-get command use /tmp to place scripts and scripts can not execute due to noexec flag on /tmp. To fix your problem edit or create the file /etc/apt/apt.conf (, enter:
# vi /etc/apt/apt.conf
$ sudo vi /etc/apt/apt.conf
Sample outputs:

DPkg::Pre-Invoke{"mount -o remount,exec /tmp";};
DPkg::Post-Invoke {"mount -o remount,rw,noexec,nosuid,nodev /tmp";};

Save and close the file. The apt.conf is the main configuration file for the APT suite of tools. The commands are invoked in order using /bin/sh, should any fail APT will abort. Where,

  • DPkg::Pre-Invoke{"mount -o remount,exec /tmp";}; – This is a list of shell commands to run before dpkg command. In this example, remove noexec flag from /tmp, so that script can get executed.
  • DPkg::Post-Invoke {"mount -o remount,rw,noexec,nosuid,nodev /tmp";}; – This is a list of shell commands to run after dpkg. In this example, set noexec and other security flag on /tmp

How do I reinstall and rexecute packages again?

Once you applied the solution as describe above, you can just reinstall the package as follows to run the scripts:
$ sudo apt-get --reinstall install linux-generic linux-headers-generic linux-image-generic
In this example,

  1. First, mount -o remount,exec /tmp command will run by apt-get as defined in apt.conf to relax permission on /tmp.
  2. Next, your actual apt-get/dpkg command will get executed to reinstall kernel packages.
  3. Finally mount -o remount,rw,noexec,nosuid,nodev /tmp command will run by apt-get to secure your /tmp.
See also
  • Man pages – dpkg(1)

🐧 Get the latest tutorials on Linux, Open Source & DevOps via RSS feed or Weekly email newsletter.

🐧 1 comment so far... add one

CategoryList of Unix and Linux commands
File Managementcat
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network Utilitiesdig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04
1 comment… add one
  • Logicos Aug 7, 2013 @ 15:00

    But take care: In a Desktop Environment (KDE, Gnome,…) some softwares uses “/tmp” for execute some update process: Like “Firefox” and “Thunderbird”.

Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre> for code samples. Problem posting comment? Email me @ webmaster@cyberciti.biz