Disable mount namespaces in Apache/PHP-FPM

Danny asked:

For a web GUI to manage NFS mount points, we’ve run into a problem after migrating to Centos 8.

JS Billings noted that:

CentOS8 runs httpd in a private namespace (with its own private /tmp).
Since it’s such a terrible idea to give httpd the ability to run sudo,
I’ve never tried this, but I suspect what you are seeing is the fact
that the mounts are happening in the private namespace

The effect is that running mount(8) via system() or even a setuid program which calls mount(2) to mount NFS partitions, the partitions are only visible to subsequent HTTP calls and not to any processes running on the server itself.

Is there a way to configure apache and/or php-fpm to not use mount namespaces?

  • Centos 8 Kernel 4.18.0-147.el8.x86_64
  • SELinux is disabled
  • Apache/2.4.37 (centos)
  • PHP 7.2.11

EDIT I

From Michael Hampton’s advice, changing /etc/systemd/system/php-fpm.service to disable the PrivateTmp solved the problem:

[Unit]
Description=The PHP FastCGI Process Manager
After=syslog.target network.target

[Service]
Type=notify
ExecStart=/usr/sbin/php-fpm --nodaemonize
ExecReload=/bin/kill -USR2 $MAINPID

# Disable private mount namespace
PrivateTmp=false
RuntimeDirectory=php-fpm
RuntimeDirectoryMode=0755

[Install]
WantedBy=multi-user.target

My answer:


You can turn off PrivateTmp= in your php-fpm.service to prevent it from getting its own mount namespace. This has security implications, of course, so you may wish to review your code’s use of temporary files.


View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.