For a web GUI to manage NFS mount points, we’ve run into a problem after migrating to Centos 8.
JS Billings noted that:
CentOS8 runs httpd in a private namespace (with its own private /tmp).
Since it’s such a terrible idea to give httpd the ability to run sudo,
I’ve never tried this, but I suspect what you are seeing is the fact
that the mounts are happening in the private namespace
The effect is that running
system() or even a
setuid program which calls
mount(2) to mount NFS partitions, the partitions are only visible to subsequent HTTP calls and not to any processes running on the server itself.
Is there a way to configure
php-fpm to not use mount namespaces?
- Centos 8 Kernel 4.18.0-147.el8.x86_64
- SELinux is disabled
- Apache/2.4.37 (centos)
- PHP 7.2.11
From Michael Hampton’s advice, changing
/etc/systemd/system/php-fpm.service to disable the
PrivateTmp solved the problem:
[Unit] Description=The PHP FastCGI Process Manager After=syslog.target network.target [Service] Type=notify ExecStart=/usr/sbin/php-fpm --nodaemonize ExecReload=/bin/kill -USR2 $MAINPID # Disable private mount namespace PrivateTmp=false RuntimeDirectory=php-fpm RuntimeDirectoryMode=0755 [Install] WantedBy=multi-user.target
You can turn off
PrivateTmp= in your
php-fpm.service to prevent it from getting its own mount namespace. This has security implications, of course, so you may wish to review your code’s use of temporary files.
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.