Comments on: Stupid Linux Tricks: Basic Server Hardening (Debian Lenny) http://almosteffortless.com/2009/05/15/stupid-linux-tricks-basic-server-hardening-debian-lenny/ Wed, 10 Mar 2010 01:15:13 +0000 http://wordpress.org/?v=2.9.2 hourly 1 By: jalfrock http://almosteffortless.com/2009/05/15/stupid-linux-tricks-basic-server-hardening-debian-lenny/comment-page-1/#comment-69376 jalfrock Tue, 12 Jan 2010 01:20:33 +0000 http://almosteffortless.com/?p=1353#comment-69376 @vivek: Add the following to your /etc/apt/apt.conf: DPkg::Pre-Invoke{"mount -o remount,exec /tmp";}; DPkg::Post-Invoke {"mount -o remount /tmp";}; (This remounts /tmp exec before running dpkg, then re-remounts it noexec when it's done.) @vivek:

Add the following to your /etc/apt/apt.conf:
DPkg::Pre-Invoke{“mount -o remount,exec /tmp”;};
DPkg::Post-Invoke {“mount -o remount /tmp”;};

(This remounts /tmp exec before running dpkg, then re-remounts it noexec when it’s done.)

]]> By: vivek http://almosteffortless.com/2009/05/15/stupid-linux-tricks-basic-server-hardening-debian-lenny/comment-page-1/#comment-68916 vivek Sat, 22 Aug 2009 04:29:51 +0000 http://almosteffortless.com/?p=1353#comment-68916 If you mount /tmp with no-exec apt tends to fail since it unzips files in /tmp and runs postinstall from there. Are you sure about this? If you mount /tmp with no-exec apt tends to fail since it unzips files in /tmp and runs postinstall from there. Are you sure about this?

]]> By: Bookmarks for 29.07.2009 through 03.08.2009 - mafflog http://almosteffortless.com/2009/05/15/stupid-linux-tricks-basic-server-hardening-debian-lenny/comment-page-1/#comment-68874 Bookmarks for 29.07.2009 through 03.08.2009 - mafflog Mon, 03 Aug 2009 15:01:28 +0000 http://almosteffortless.com/?p=1353#comment-68874 [...] almost effortless » Stupid Linux Tricks: Basic Server Hardening (Debian Lenny) – [...] [...] almost effortless » Stupid Linux Tricks: Basic Server Hardening (Debian Lenny) – [...]

]]> By: Timothy O'Connell http://almosteffortless.com/2009/05/15/stupid-linux-tricks-basic-server-hardening-debian-lenny/comment-page-1/#comment-68684 Timothy O'Connell Wed, 20 May 2009 13:23:53 +0000 http://almosteffortless.com/?p=1353#comment-68684 I realized, shortly after I added the bit about <pre>/usr/bin/mesg n</pre> to root's <em>.bashrc</em> that I was getting mysterious errors from non-interactive processes. Namely, when I ran rsync via cron, I was getting emails from cron that looked like this:<pre>stdin: is not a tty stdin: is not a tty stdin: is not a tty</pre> It didn't take long for me to put two and two together and realize that this was output from that <em>mesg</em> command: it couldn't do its thing because it didn't have a tty on account of the session being a non-interactive one. In order to silence that particular lamb, I adjusted the <em>mesg</em> command in root's <em>.bashrc</em>:<pre>if [ ! -f $USER ] then /usr/bin/mesg n fi</pre> It's sort of ugly, but it gets the job done: if you're starting an interactive session and you've got a <strong>$USER</strong> variable, then you get your <em>mesg</em> sent to <em>n</em>. If you're not, then you don't. Easy-peasy. I realized, shortly after I added the bit about 
/usr/bin/mesg n

to root’s .bashrc that I was getting mysterious errors from non-interactive processes.

Namely, when I ran rsync via cron, I was getting emails from cron that looked like this: 

stdin: is not a tty
stdin: is not a tty
stdin: is not a tty

It didn’t take long for me to put two and two together and realize that this was output from that mesg command: it couldn’t do its thing because it didn’t have a tty on account of the session being a non-interactive one.

In order to silence that particular lamb, I adjusted the mesg command in root’s .bashrc: 

if [ ! -f $USER ]
    then /usr/bin/mesg n
fi

It’s sort of ugly, but it gets the job done: if you’re starting an interactive session and you’ve got a $USER variable, then you get your mesg sent to n. If you’re not, then you don’t. Easy-peasy.

]]>