How to disable debian 9 private tmp

These days I upgraded one of my hosts with debian jessie to the latest debian stretch. After that upgrade I figured out, that some of my nagios checkes were red and also my django wsgi applications were not able to read from system tmp any more. The main reason for that is, that with debian 9, some processes which uses systemd forced the private tmp directories. Of course, I understand the security part behind that idea. And also the man page of systemd gives some more explanation:

$ man systemd.exec
SYSTEMD.EXEC(5)                            systemd.exec                           SYSTEMD.EXEC(5)

       systemd.exec - Execution environment configuration

       service.service, socket.socket, mount.mount, swap.swap


           Takes a boolean argument. If true, sets up a new file system namespace for the
           executed processes and mounts private /tmp and /var/tmp directories inside it that is
           not shared by processes outside of the namespace. This is useful to secure access to
           temporary files of the process, but makes sharing between processes via /tmp or
           /var/tmp impossible. If this is enabled, all temporary files created by a service in
           these directories will be removed after the service is stopped. Defaults to false. It
           is possible to run two or more units within the same private /tmp and /var/tmp
           namespace by using the JoinsNamespaceOf= directive, see systemd.unit(5) for details.
           This setting is implied if DynamicUser= is set. For this setting the same restrictions
           regarding mount propagation and privileges apply as for ReadOnlyPaths= and related
           calls, see above.

In my case I have for example some nagios checks running per cronjob which write some status files to /tmp and are read by the nagios nrpe process itself. Also my django wsgi applications which write some generated pdf files to /tmp are not working any more, because the files are written to the private tmp of apache2 and can’t be read by /tmp links any more.

Therefore I had to disable the private tmp for some processes.

How to disable the private tmp?

To disable it, I copy the systemd service file to /etc/systemd/system/, change the line PrivateTmp=true to false and restart the process.

I use apache2 as an example:

$ cp /lib/systemd/system/apache2.service /etc/systemd/system/

Now we edit the PrivateTmp=true to PrivateTmp=false:

$ grep PrivateTmp /etc/systemd/system/apache2.service

$ vi /etc/systemd/system/apache2.service

$ grep PrivateTmp /etc/systemd/system/apache2.service

And at the end, restart the apache2 process:

$ systemctl restart apache2.service

comments powered by Disqus