Is there a way to use checkinstall without mounting /var/tmp as exec?

1

I'm compiling nginx from source and wanted to use checkinstall so it can be uninstalled more easily later. The problem is that checkinstall executes scripts in /var/tmp which I mounted with noexec to prevent privilege escalation.

I found this site which recommends temporary binding /var/tmp to a different place to allow script execution in /var/tmp. But doesn't that cause problems with running processes that use /var/tmp at that moment and render me vulnerable?

Which brings me to the question is there a way to use checkinstall without mounting /var/tmp as exec? Maybe using chroot or unshare?

SilentStorm

Posted 2017-03-25T10:52:58.127

Reputation: 11

Answers

0

Explaination

One can use the unshare command to create a namespace dedicated to a script:

unshare --mount /path/to/script # Execute command in dedicated mount namespace

The script than uses its own mount namespace. It could look like this:

mount --make-rslave /            # Prevent this mount namespace
                                 # from changing the real namespace
mount --bind /foo/tmptmp foo/tmp # Do the bind
touch /foo/tmp/tmpFile           # Create tmp files
echo $( ls /foo/tmptmp )
echo $( ls /foo/tmp )
#output:
#tmpFile
#tmpFile

After the script is executed using unshare lets look what happend to the main system.

ls /foo/tmptmp
#output: tmpFile
ls /foo/tmp
#output: 
#(Note that the file is only present in /foo/tmptmp)
umount /foo/tmptmp
#output: umount: /foo/tmptmp: not mounted
#(Note that the bind did only affect the mount namespace of the script)

Solution

Applying this to the problem of the question yields the following script which needs to be called via unshare --mount: 

mount --make-rslave /
mount --bind /your/tmp/file /var/tmp
checkinstall

SilentStorm

Posted 2017-03-25T10:52:58.127

Reputation: 11

Asked: 2017-03-25T10:52:58.127

Viewed: 89 times

Active: 2017-03-25T18:12:06.823