I mount /tmp with nodev, nosuid, and noexec options to increase the security of my Linux based web server. And, whenever I ran apt-get install or apt-get upgrade command, I am getting the following error:

apt-get install linux-generic linux-headers-generic linux-image-generic
.....
....
..
Generating grub.cfg ...
Found linux image: /boot/vmlinuz-3.2.0-43-generic
Found initrd image: /boot/initrd.img-3.2.0-43-generic
....
ldconfig deferred processing now taking place
Processing triggers for initramfs-tools ...
update-initramfs: Generating /boot/initrd.img-3.2.0-43-generic
W: TMPDIR is mounted noexec, will not cache run scripts.
....
...

How do I fix this problem without compromising security of the data or web-server?

Tutorial details
Difficulty level Easy
Root privileges Yes
Requirements None
Est. reading time 2m
You can make /tmp non-executable by setting the following two flags in /etc/fstab file:
  1. noexec – Do not allow direct execution of any binaries or scripts on the mounted filesystem at /tmp.
  2. nosuid – Do not allow SUID or SGID bits to take effect.
  3. nodev – Do not interpret character or block special devices on the file system.

This will safeguard your server against various attacks. But, apt-get upgrade command may fail with the following message:
W: TMPDIR is mounted noexec, will not cache run scripts.
apt-get command use /tmp to place scripts and scripts can not execute due to noexec flag on /tmp. To fix your problem edit or create the file /etc/apt/apt.conf (, enter:
# vi /etc/apt/apt.conf
OR
$ sudo vi /etc/apt/apt.conf
Sample outputs:

DPkg::Pre-Invoke{"mount -o remount,exec /tmp";};
DPkg::Post-Invoke {"mount -o remount,rw,noexec,nosuid,nodev /tmp";};

Save and close the file. The apt.conf is the main configuration file for the APT suite of tools. The commands are invoked in order using /bin/sh, should any fail APT will abort. Where,

  • DPkg::Pre-Invoke{"mount -o remount,exec /tmp";}; – This is a list of shell commands to run before dpkg command. In this example, remove noexec flag from /tmp, so that script can get executed.
  • DPkg::Post-Invoke {"mount -o remount,rw,noexec,nosuid,nodev /tmp";}; – This is a list of shell commands to run after dpkg. In this example, set noexec and other security flag on /tmp

How do I reinstall and rexecute packages again?

Once you applied the solution as describe above, you can just reinstall the package as follows to run the scripts:
$ sudo apt-get --reinstall install linux-generic linux-headers-generic linux-image-generic
In this example,

  1. First, mount -o remount,exec /tmp command will run by apt-get as defined in apt.conf to relax permission on /tmp.
  2. Next, your actual apt-get/dpkg command will get executed to reinstall kernel packages.
  3. Finally mount -o remount,rw,noexec,nosuid,nodev /tmp command will run by apt-get to secure your /tmp.
See also
  • Man pages – dpkg(1)

🐧 Get the latest tutorials on Linux, Open Source & DevOps via RSS feed or Weekly email newsletter.

🐧 1 comment so far... add one


CategoryList of Unix and Linux commands
Disk space analyzersdf duf ncdu pydf
File Managementcat cp mkdir tree
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Modern utilitiesbat exa
Network UtilitiesNetHogs dig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg glances gtop jobs killall kill pidof pstree pwdx time vtop
Searchingag grep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04
1 comment… add one
  • Logicos Aug 7, 2013 @ 15:00

    Good.
    But take care: In a Desktop Environment (KDE, Gnome,…) some softwares uses “/tmp” for execute some update process: Like “Firefox” and “Thunderbird”.

Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre> for code samples. Still have questions? Post it on our forum