W: TMPDIR is Mounted noexec, Will Not Cache Run Scripts Error and Solution

Posted on in Categories , , last updated August 4, 2013

I mount /tmp with nodev, nosuid, and noexec options to increase the security of my Linux based web server. And, whenever I ran apt-get install or apt-get upgrade command, I am getting the following error:

apt-get install linux-generic linux-headers-generic linux-image-generic
.....
....
..
Generating grub.cfg ...
Found linux image: /boot/vmlinuz-3.2.0-43-generic
Found initrd image: /boot/initrd.img-3.2.0-43-generic
....
ldconfig deferred processing now taking place
Processing triggers for initramfs-tools ...
update-initramfs: Generating /boot/initrd.img-3.2.0-43-generic
W: TMPDIR is mounted noexec, will not cache run scripts.
....
...

How do I fix this problem without compromising security of the data or web-server?

You can make /tmp non-executable by setting the following two flags in /etc/fstab file:

  1. noexec – Do not allow direct execution of any binaries or scripts on the mounted filesystem at /tmp.
  2. nosuid – Do not allow SUID or SGID bits to take effect.
  3. nodev – Do not interpret character or block special devices on the file system.

This will safeguard your server against various attacks. But, apt-get upgrade command may fail with the following message:
W: TMPDIR is mounted noexec, will not cache run scripts.
apt-get command use /tmp to place scripts and scripts can not execute due to noexec flag on /tmp. To fix your problem edit or create the file /etc/apt/apt.conf (, enter:
# vi /etc/apt/apt.conf
OR
$ sudo vi /etc/apt/apt.conf
Sample outputs:

DPkg::Pre-Invoke{"mount -o remount,exec /tmp";};
DPkg::Post-Invoke {"mount -o remount,rw,noexec,nosuid,nodev /tmp";};

Save and close the file. The apt.conf is the main configuration file for the APT suite of tools. The commands are invoked in order using /bin/sh, should any fail APT will abort. Where,

  • DPkg::Pre-Invoke{"mount -o remount,exec /tmp";}; – This is a list of shell commands to run before dpkg command. In this example, remove noexec flag from /tmp, so that script can get executed.
  • DPkg::Post-Invoke {"mount -o remount,rw,noexec,nosuid,nodev /tmp";}; – This is a list of shell commands to run after dpkg. In this example, set noexec and other security flag on /tmp

How do I reinstall and rexecute packages again?

Once you applied the solution as describe above, you can just reinstall the package as follows to run the scripts:
$ sudo apt-get --reinstall install linux-generic linux-headers-generic linux-image-generic
In this example,

  1. First, mount -o remount,exec /tmp command will run by apt-get as defined in apt.conf to relax permission on /tmp.
  2. Next, your actual apt-get/dpkg command will get executed to reinstall kernel packages.
  3. Finally mount -o remount,rw,noexec,nosuid,nodev /tmp command will run by apt-get to secure your /tmp.
See also
  • Man pages – apt.conf(5),apt-get(8),dpkg(1)

Posted by: Vivek Gite

The author is the creator of nixCraft and a seasoned sysadmin and a trainer for the Linux operating system/Unix shell scripting. He has worked with global clients and in various industries, including IT, education, defense and space research, and the nonprofit sector. Follow him on Twitter, Facebook, Google+.

1 comment

Leave a Comment