You are not logged in.

#1 2013-10-29 14:16:13

psycketom
Member
Registered: 2012-07-29
Posts: 15

[SLVD] `sudo mount` from Apache's (mod_php) context isn't system-wide.

Title field appears to be limited in acceptable symbols, so, the proper title would be `sudo mount` from Apache's (mod_php) context is successful, but not applied to whole system.

Apache is run as http:http, http is added to sudoers as http ALL=(ALL) NOPASSWD: ALL.

Now, drop the "insecurity" bucket, I know how insecure it is. This is for a different kind of environment - a NAS (as in Network Attached Storage), that has a web-based OS on top of it, written in PHP for the sake of simplicty and team scalability. The Web OS and NAS together make up for Mobotix IP camera storage and configuration.

I've already asked 2 questions on Stack Exchange network - http://stackoverflow.com/questions/1959 … h-nopasswd and here http://unix.stackexchange.com/questions … le-by-root, where I've explained the situation in great detail (at least I think I have).

Now, assuming that more experienced users do not camp Stack Exchange, I'm giving a hot here. Arch is the distro under the NAS, so...

Basically, the problems description can be narrowed down to:

Performing a `sudo mount /dev/sdb1 /mnt/firstdrive` in a web-request by PHP's exec mounts the filesystem successfully.
Though, it appears that the mount is made private for the running user.

Private as in... Logging in @ TTY0 with root and running lsblk or cat /proc/mounts does not show the mountpoint.

That breaks down some of the subsequent functionality required for some of the NAS'es processes.

What could be the reason for `mount`/`umount` not executed system-wide?
How come commands like `parted`, `dd`, `mdadm`, `mkdir` execute as expected?
How do I overcome the issue?

P.S. Excuse the quirky environment, but, it actually works flawlessly (we've shipped about 30 units now, with no complaints, am refactoring/majorly upgrading now, hence the problem) and is very pleasant for quick extensions/modifications.

Thanks in advance!

Last edited by psycketom (2013-10-30 12:27:51)

Offline

#2 2013-10-30 08:47:14

psycketom
Member
Registered: 2012-07-29
Posts: 15

Re: [SLVD] `sudo mount` from Apache's (mod_php) context isn't system-wide.

Okay, now I'm really amazed.

I thought that there are problems with EUID's and what not, so, I compiled Apache with `-DBIG_SECURITY_HOLE` to make it run as root.

Same problem remains, it mounts, but somewhere "behind the scenes".

Why doesn't mount work system-wide in Apache's context?

Update:
I've find out what's happening in "technical" terms. Apache appears to be running in it's own mount namespace.

Querying cat /proc/<apaches-main-or-child-pid>/mounts display the mount.

Now, how'd I make the namespaced mount to reflect whole system?

Last edited by psycketom (2013-10-30 11:01:23)

Offline

#3 2013-10-30 12:06:25

hiciu
Member
Registered: 2010-08-11
Posts: 85

Re: [SLVD] `sudo mount` from Apache's (mod_php) context isn't system-wide.

Are you running apparmor or selinux or something like that? If not, check /etc/systemd/system/multi-user.target.wants/apache.service (make copy, remove symlink, change as you see fit).

edit: file will be under /etc/systemd/system/multi-user.target.wants/httpd.service and you will want to delete line with "PrivateTmp=true".

Last edited by hiciu (2013-10-30 12:16:21)

Offline

#4 2013-10-30 12:19:58

psycketom
Member
Registered: 2012-07-29
Posts: 15

Re: [SLVD] `sudo mount` from Apache's (mod_php) context isn't system-wide.

No AppArmor or SELinux.

What should I check for in the service?

Edit: Opened the thread without your edit, gonna see what happens with PrivateTmp removed.

Last edited by psycketom (2013-10-30 12:21:47)

Offline

#5 2013-10-30 12:20:47

hiciu
Member
Registered: 2010-08-11
Posts: 85

Re: [SLVD] `sudo mount` from Apache's (mod_php) context isn't system-wide.

PrivateTmp option. See "man systemd.exec".

Offline

#6 2013-10-30 12:27:12

psycketom
Member
Registered: 2012-07-29
Posts: 15

Re: [SLVD] `sudo mount` from Apache's (mod_php) context isn't system-wide.

Seeing the man page alone depicts the issue is gonna be resolved.

And, yes, doing so, did fix the issue.

Thanks!

Offline

Board footer

Powered by FluxBB