I'm hosting a simple wsgi application on httpd over CentOS 7 using mod_wsgi and trying to remove the isolation illustrated below.

The wsgi app,

The following script is my wsgi application.

  • it creates a file called /tmp/test-wsgi.txt
  • enumerates the content of /tmp as a simple json list


def application(environ, start_response):
    status = '200 OK'
    headers = [('Content-Type', 'application/json')]
    start_response(status, headers)

    with open('/tmp/test-wsgi.txt', 'w+') as w:
        w.write('hello world')

    files = os.listdir('/tmp')
    return json.dumps(files)

When i'm accessing my web application i'm getting the following response


Great so far!


Connected to the same hosting server as root,

I've opened a shell and executed cat /tmp/test-wsgi.txt

enter image description here

From playing around with it, seems that any filesystem operation (enumeration/creation/socket access) inside my wsgi script is "environmently isolated" (like chroot jail). the strange thing is i haven't configured any of that type of isolation.

httpd config


<VirtualHost *:80>

DocumentRoot /opt/my-app/

WSGIScriptAlias / /opt/my-app/apache/wsgi.py

<Directory /opt/my-app/apache>
    Order allow,deny
    Allow from all
    Require all granted




User apache
Group apache


1 Answers1


Security Feature, PrivateTmp

It's a security feature called PrivateTmp, configured by default with httpd systemd service.

How to disable it?

Edit /usr/lib/systemd/system/httpd.service and remove the following line:


Then run the following commands,

sudo systemctl daemon-reload
sudo service httpd restart