Landscape remote script execution error "No such file or directory: /tmp/..."

epomattiio · August 31, 2025, 9:39pm

After applying USG hardening (CIS level 1) in our Ubuntu 22.04 LTS workstations, all Landscape remote script executions are failing with the following error:

FileNotFoundError: [Errno 2] No such file or directory: '/tmp/tmpqzwjlzmy'

I was able to simulate this in a fresh system installation. A similar issue have been reported here.

So far, I was not able to determine which CIS control is triggering this conflict with the Landscape client behavior. It would be of great help if anyone might have an idea of which control is causing this, as having a fix for landscape in the short term is unlikely.

Here is the full error stack output:

Upon execvpe /tmp/tmpqzwjlzmy ('/tmp/tmpqzwjlzmy',) in environment id 140110680300224
:Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/twisted/internet/process.py", line 397, in _fork
    self._execChild(path, uid, gid, executable, args, environment)
  File "/usr/lib/python3/dist-packages/twisted/internet/process.py", line 468, in _execChild
    os.execvpe(executable, args, environment)
  File "/usr/lib/python3.10/os.py", line 584, in execvpe
    _execvpe(file, args, env)
  File "/usr/lib/python3.10/os.py", line 598, in _execvpe
    exec_func(file, *argrest)
FileNotFoundError: [Errno 2] No such file or directory: '/tmp/tmpqzwjlzmy'

Doesn’t matter the script complexity, in this example even a simple echo "hello" will result in the same permission error.

landscape-client/landscape/client/manager/scriptexecution.py at main · canonical/landscape-client

crisdel · August 31, 2025, 11:02pm

Hi , @epomattiio ,
Could you issue the command below,

sudo usg audit cis_level1_server

and search for

Title   Add noexec Option to /tmp                                                                        
Rule    xccdf_org.ssgproject.content_rule_mount_option_tmp_noexec      
Result  true

I presume as a part of the CIS level 1, this policy was enforced, so noexec flag was set to prevent the execution of binaries there (/tmp)

epomattiio · September 1, 2025, 1:02am

@crisdel thanks for the help.

I checked this one earlier today and and it only applies if /tmp is a partition.

That is not my case, as I get Remediation is not applicable, nothing was done in the bash output.

+ echo 'Remediating rule 177/282: '\''xccdf_org.ssgproject.content_rule_mount_option_tmp_nodev'\'''
+ '[' '!' -f /.dockerenv ']'
+ '[' '!' -f /run/.containerenv ']'
+ findmnt --kernel /tmp
+ findmnt --fstab /tmp
+ echo 'Remediation is not applicable, nothing was done'
+ echo 'Remediating rule 178/282: '\''xccdf_org.ssgproject.content_rule_mount_option_tmp_noexec'\'''
+ '[' '!' -f /.dockerenv ']'
+ '[' '!' -f /run/.containerenv ']'
+ findmnt --kernel /tmp
+ findmnt --fstab /tmp
+ echo 'Remediation is not applicable, nothing was done'
+ echo 'Remediating rule 179/282: '\''xccdf_org.ssgproject.content_rule_mount_option_tmp_nosuid'\'''
+ '[' '!' -f /.dockerenv ']'
+ '[' '!' -f /run/.containerenv ']'
+ findmnt --kernel /tmp
+ findmnt --fstab /tmp
+ echo 'Remediation is not applicable, nothing was done'

system · September 30, 2025, 9:40pm

This topic was automatically closed after 30 days. New replies are no longer allowed.