W: TMPDIR is Mounted noexec, Will Not Cache Run Scripts Error and Solution

Posted on in Categories , , last updated August 4, 2013

I mount /tmp with nodev, nosuid, and noexec options to increase the security of my Linux based web server. And, whenever I ran apt-get install or apt-get upgrade command, I am getting the following error:

apt-get install linux-generic linux-headers-generic linux-image-generic
Generating grub.cfg ...
Found linux image: /boot/vmlinuz-3.2.0-43-generic
Found initrd image: /boot/initrd.img-3.2.0-43-generic
ldconfig deferred processing now taking place
Processing triggers for initramfs-tools ...
update-initramfs: Generating /boot/initrd.img-3.2.0-43-generic
W: TMPDIR is mounted noexec, will not cache run scripts.

How do I fix this problem without compromising security of the data or web-server?

You can make /tmp non-executable by setting the following two flags in /etc/fstab file:

  1. noexec – Do not allow direct execution of any binaries or scripts on the mounted filesystem at /tmp.
  2. nosuid – Do not allow SUID or SGID bits to take effect.
  3. nodev – Do not interpret character or block special devices on the file system.

This will safeguard your server against various attacks. But, apt-get upgrade command may fail with the following message:
W: TMPDIR is mounted noexec, will not cache run scripts.
apt-get command use /tmp to place scripts and scripts can not execute due to noexec flag on /tmp. To fix your problem edit or create the file /etc/apt/apt.conf (, enter:
# vi /etc/apt/apt.conf
$ sudo vi /etc/apt/apt.conf
Sample outputs:

DPkg::Pre-Invoke{"mount -o remount,exec /tmp";};
DPkg::Post-Invoke {"mount -o remount,rw,noexec,nosuid,nodev /tmp";};

Save and close the file. The apt.conf is the main configuration file for the APT suite of tools. The commands are invoked in order using /bin/sh, should any fail APT will abort. Where,

  • DPkg::Pre-Invoke{"mount -o remount,exec /tmp";}; – This is a list of shell commands to run before dpkg command. In this example, remove noexec flag from /tmp, so that script can get executed.
  • DPkg::Post-Invoke {"mount -o remount,rw,noexec,nosuid,nodev /tmp";}; – This is a list of shell commands to run after dpkg. In this example, set noexec and other security flag on /tmp

How do I reinstall and rexecute packages again?

Once you applied the solution as describe above, you can just reinstall the package as follows to run the scripts:
$ sudo apt-get --reinstall install linux-generic linux-headers-generic linux-image-generic
In this example,

  1. First, mount -o remount,exec /tmp command will run by apt-get as defined in apt.conf to relax permission on /tmp.
  2. Next, your actual apt-get/dpkg command will get executed to reinstall kernel packages.
  3. Finally mount -o remount,rw,noexec,nosuid,nodev /tmp command will run by apt-get to secure your /tmp.
See also

1 comment

  1. Good.
    But take care: In a Desktop Environment (KDE, Gnome,…) some softwares uses “/tmp” for execute some update process: Like “Firefox” and “Thunderbird”.

Leave a Comment