tech-pkg: Re: running (DE)INSTALL scripts vs. noexec mounted /var

Subject: Re: running (DE)INSTALL scripts vs. noexec mounted /var
To: None <tech-pkg@netbsd.org>
From: Martin Weber <Ephaeton@gmx.net>
List: tech-pkg
Date: 11/09/2001 22:04:52

On Fri, Nov 09, 2001 at 05:11:27PM +0100, Hubert Feyrer wrote:
> [...]
> 	if (script exists) {
> 		sh script someargs
> 	}
> 
> The implications are that
> 
>  * /var can be mounted noexec
>  * The scripts MUST be /bin/sh scripts, no executables, perl scripts etc.
>    allowed.

Well, I don't know perl too well, but assume my deinstall script used
tcl, I would rewrite it from 

#! /path/to/tclsh
....

to

#! /bin/sh
# or even nothing \
	exec tclsh "$0" "$@"
....

This way you can call it with sh <scriptfile>, and it should work
even with /var mounted noexec, because the interpreter resides
somewhere else than in /var.

So the final implication, if I did not miss anything, is:

* /var can be mounted noexec
* The scripts using another interpreter than /bin/sh must be rewritten
  to fit the scheme their interpreter uses for sh-wrappers (see above)
* Binary DEINSTALLs are no longer feasable.

Martin Weber