test_find_program_for_path requires /tmp to be mounted exec
This request will probably be a test issue, but could be considered an architecture issue.
This is in regards to the following tests:
88/335 glib:glib+core / utils ERROR
120/335 glib:glib+core+cc / utils-c-11 ERROR
121/335 glib:glib+core+cc / utils-c-17 ERROR
122/335 glib:glib+core+cc / utils-c-90 ERROR
123/335 glib:glib+core+cc / utils-c-99 ERROR
(output from v.2.76.4)
Part of the test is to write to /tmp, and execute what has been written. As even glib updates qualify as "internet downloads", this seems to demand a vulnerability. OK, so it is source code, and is meant to creat an executable binary. Do you have to do it in tmp, where the world can read and write? Is there no other executable created that can satisfy the test?
To validate the vulnerable state, I refer to the following resouces:
- https://www.tenable.com/audits/items/CIS_Debian_Family_Linux_v1.0.0_L1_Workstation.audit:5770ef66cb92c88dc10736e47765f1de
- https://discuss.elastic.co/t/logstash-will-not-start-with-tmp-mounted-noexec/324125
- https://www.stigviewer.com/stig/red_hat_enterprise_linux_8/2022-09-07/finding/V-230511
The logstash folks fixed their code. The other two test for this condition in the largest networks.
Edited by Philip Withnall