Hi Alan - spot on; thank you. To save having to learn about namespaces I've just started Apache without 'PrivateTmp' in the service file, and the script now works as expected (and 'lsns' no longer shows Apache as having its own mount namespace).
journalctl also now shows that systemd unmounts my device after the script issues the umount command, which it didn't before.
Disabling PrivateTmp isn't a great solution, but this is a
one-off config, so I can restore it afterwards. If you want to
answer the SO question I'll accept it.
On 1/23/2024 3:58 PM, EML wrote:What's interesting here is that CGI appears to be doing something more complex than simply forking a process. The script which is the problem has an EUID of 0, so why can't it unmount a filesystem? Have I just messed up (probably?) Or has Apache run me /without/ CAP_SYS_ADMIN? IfOr is Apache in an isolated namespace, making its mount and unmount operations invisible to most other processes? You can investigate by comparing what /proc/$$/ns/mnt looks like inside and outside the problematic script. If this is the case, you might need to use nsenter(1) to access the namespace(s) in which you want your unmount to take effect.