These days I upgraded one of my hosts with debian jessie to the latest debian stretch. After that upgrade I figured out, that some of my nagios checkes were red and also my django wsgi applications were not able to read from system tmp any more. The main reason for that is, that with debian 9, some processes which uses systemd forced the private tmp directories. Of course, I understand the security part behind that idea. And also the man page of systemd gives some more explanation:
$ man systemd.exec SYSTEMD.EXEC(5) systemd.exec SYSTEMD.EXEC(5) NAME systemd.exec - Execution environment configuration SYNOPSIS service.service, socket.socket, mount.mount, swap.swap ...... PrivateTmp= Takes a boolean argument. If true, sets up a new file system namespace for the executed processes and mounts private /tmp and /var/tmp directories inside it that is not shared by processes outside of the namespace. This is useful to secure access to temporary files of the process, but makes sharing between processes via /tmp or /var/tmp impossible. If this is enabled, all temporary files created by a service in these directories will be removed after the service is stopped. Defaults to false. It is possible to run two or more units within the same private /tmp and /var/tmp namespace by using the JoinsNamespaceOf= directive, see systemd.unit(5) for details. This setting is implied if DynamicUser= is set. For this setting the same restrictions regarding mount propagation and privileges apply as for ReadOnlyPaths= and related calls, see above.
In my case I have for example some nagios checks running per cronjob which write some status files to /tmp and are read by the nagios nrpe process itself. Also my django wsgi applications which write some generated pdf files to /tmp are not working any more, because the files are written to the private tmp of apache2 and can’t be read by /tmp links any more.
Therefore I had to disable the private tmp for some processes.
How to disable the private tmp?
To disable it, I copy the systemd service file to
change the line
false and restart the process.
I use apache2 as an example:
$ cp /lib/systemd/system/apache2.service /etc/systemd/system/
Now we edit the
$ grep PrivateTmp /etc/systemd/system/apache2.service PrivateTmp=true $ vi /etc/systemd/system/apache2.service ..... $ grep PrivateTmp /etc/systemd/system/apache2.service PrivateTmp=false
And at the end, restart the apache2 process:
$ systemctl restart apache2.service