Re: Script behaving differently when run by Apache and when run from a shell by user www-data?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Alan - spot on; thank you. To save having to learn about namespaces I've just started Apache without 'PrivateTmp' in the service file, and the script now works as expected (and 'lsns' no longer shows Apache as having its own mount namespace).

journalctl also now shows that systemd unmounts my device after the script issues the umount command, which it didn't before.

Disabling PrivateTmp isn't a great solution, but this is a one-off config, so I can restore it afterwards. If you want to answer the SO question I'll accept it.

On 24/01/2024 13:47, Curry, Alan wrote:
On 1/23/2024 3:58 PM, EML wrote:

What's interesting here is that CGI appears to be doing something more
complex than simply forking a process. The script which is the problem
has an EUID of 0, so why can't it unmount a filesystem? Have I just
messed up (probably?) Or has Apache run me /without/ CAP_SYS_ADMIN? If
Or is Apache in an isolated namespace, making its mount and unmount
operations invisible to most other processes?

You can investigate by comparing what /proc/$$/ns/mnt looks like inside
and outside the problematic script. If this is the case, you might need
to use nsenter(1) to access the namespace(s) in which you want your
unmount to take effect.


[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux