Comments on: Stupid Linux Tricks: Basic Server Hardening (Debian Lenny)

By: jalfrock

jalfrock — Mon, 11 Jan 2010 20:20:33 +0000

@vivek:

Add the following to your /etc/apt/apt.conf:

DPkg::Pre-Invoke{"mount -o remount,exec /tmp";};

DPkg::Post-Invoke {"mount -o remount /tmp";};

(This remounts /tmp exec before running dpkg, then re-remounts it noexec when it's done.)

By: vivek

vivek — Fri, 21 Aug 2009 22:29:51 +0000

If you mount /tmp with no-exec apt tends to fail since it unzips files in /tmp and runs postinstall from there. Are you sure about this?

By: Bookmarks for 29.07.2009 through 03.08.2009 - mafflog

Bookmarks for 29.07.2009 through 03.08.2009 - mafflog — Mon, 03 Aug 2009 15:01:28 +0000

[...] almost effortless » Stupid Linux Tricks: Basic Server Hardening (Debian Lenny) – [...]

By: Timothy O'Conne

Timothy O'Conne — Wed, 20 May 2009 07:23:53 +0000

I realized, shortly after I added the bit about

/usr/bin/mesg n

to root's .bashrc that I was getting mysterious errors from non-interactive processes. Namely, when I ran rsync via cron, I was getting emails from cron that looked like this:

stdin: is not a tty
 
stdin: is not a tty
 
stdin: is not a tty

It didn't take long for me to put two and two together and realize that this was output from that mesg command: it couldn't do its thing because it didn't have a tty on account of the session being a non-interactive one. In order to silence that particular lamb, I adjusted the mesg command in root's .bashrc:

if [ ! -f $USER ]
 
    then /usr/bin/mesg n
 
fi

It's sort of ugly, but it gets the job done: if you're starting an interactive session and you've got a $USER variable, then you get your mesg sent to n. If you're not, then you don't. Easy-peasy.