6

I am using php-fpm with PrivateTmp enabled. I have to read a file from PHP, which is copied by a remote deployment agent to the /tmp directory. Since PrivateTmp is enabled, I am unable to directly access /tmp directory.

Is it possible to read a file from the system /tmp folder when PrivateTmp is enabled? I tried creating a symbolic link to /tmp at /var/temp and accessing the file through /var/temp, but it did not work. /var/tmp is currently bind mounted from /tmp, and I also tried accessing the file through /var/tmp without any success.

Joyce Babu
  • 221
  • 2
  • 11

2 Answers2

5

Read the manual please:

PrivateTmp=
Takes a boolean argument. If true, sets up a new file system namespace for the executed processes and mounts private /tmp and /var/tmp directories inside it that is not shared by processes outside of the namespace. This is useful to secure access to temporary files of the process, but makes sharing between processes via /tmp or /var/tmp impossible.

So no you can't read from the systemwide /tmp/ directory.

But there is a work-around in that same section of the manual:

... It is possible to run two or more units within the same private /tmp and /var/tmp namespace by using the JoinsNamespaceOf= directive, see systemd.unit(5) for details.

So if your remote deployment agent is also running from a systemd unit you can join them together in a single PrivateTmp shared between them that is still separate from the rest of the system.

If you can't do that: don't store the file in the system /tmp/ and simply have it placed/moved another location...

HBruijn
  • 72,524
  • 21
  • 127
  • 192
  • There should be a workaround with nsenter or something, but we would need to know how systemd implements their wizardry. – Otheus Jan 08 '20 at 09:46
2

You can use nsenter to run a command inside the network namespace.

So for example, if you wanted to see the files inside /tmp for the apache2 service you could do something like this:

pid=$(systemctl show --property=MainPID --value apache2.service)
nsenter -t $pid -m ls /tmp

This will run ls /tmp inside the mount namespace that the apache2 process is running in.

Also, the private tmp directory currently is located at a path like /tmp/systemd-private-*-apache2.service-* where the * are some kind of id. Although you probably shouldn't rely on a specific format or location for that.

Thayne
  • 206
  • 1
  • 7