[aur-general] Issue a warning while (re)packaging a binary package?

Jan Kohnert nospam001-lists at jan-kohnert.de
Fri Jun 18 20:09:11 UTC 2021 

Hi,

Am Freitag, 18. Juni 2021, 17:21:43 CEST schrieb alad via aur-general:
> On 18/06/2021 16:43, Jonathon Fernyhough via aur-general wrote:
> > On 18/06/2021 14:05, Jan Kohnert via aur-general wrote:
> >> a new version of a (binary) package I'm maintaining (clockify-desktop)
> >> requires an executable /tmp directory to run.
> > 
> > My immediate questions would be why, and is this an upstream issue?

I really don't know. Upstream changed their version 2.0.2 by a new upload They 
use S3 storage and have a unique filename for all versions; so I only figure out 
changes by automatic nightly builds on my GitlLab that fails when the hash 
changes. I contacted them and the answer I got was "the dev team works on a 
new version". They promised to notify me when a new version is available, but I 
can't tell when this will by the case.

> > Or, is an executable /tmp a reasonable assumption? 🤔
> 
> I don't see anything in file-hierarchy(7) that mandates an executable
> /tmp. That said, it contains a hint that some programs might break:
> 
>         /tmp/, /var/tmp/ and /dev/shm/ should be mounted nosuid and
>         nodev, which means that set-user-id mode and character or block
>         special devices are not interpreted on those file systems. In
>         general it is not possible to mount them noexec, because various
>         programs use those directories for dynamically generated or
>         optimized code, and with that flag those use cases would break.
>         Using this flag is OK on special-purpose installations or systems
>         where all software that may be installed is known and doesn't
>         require such functionality. See the discussion of
>         nosuid/nodev/noexec in mount(8) and PROT_EXEC in mmap(2).

Based on this, my setup seems a bit outdated. AFAIR the info to use noexec on /
tmp is from the time I switched to Gentoo at around 2004 to remove a possible 
attack vector. There were even advices to mount /home and /var/tmp noexec to 
prevent users from executing arbitary code, as then all user-writeable directories 
whould be noexec. I never changed that setup at least for /tmp and /var/tmp for 
newer machines, but I do get some errors for some python-related packages from 
the AUR that require an executable /tmp for building.

So maybe I'll just change my setup and push the new version without adding a 
warning.

Thanks for clearification. :) 

-- 
MfG Jan

More information about the aur-general mailing list