24

I have no open_basedir, php can access /etc /usr /proc /home etc… but not /tmp.

tmpfs is mount on /tmp (/tmp type tmpfs (rw)) That's also the reason I want to use the /tmp folder.

My files are owned by http (user for nginx and php) and readable by everyone.

sudo -u http cat /tmp/file is working but anything inside a php script does not (like file_exist() or file()).

edit : the error show in log : 

PHP Warning: file(/tmp/ydlw/pid): failed to open stream: No such file or directory in /srv/http/ydlw/status.php on line 267

edit2: I tested the issue the other way. I made 

touch("/tmp/boo"); file_exist("/tmp/boo");

and file_exist return true so the file is created. Then I watched inside /tmp and no "boo" file can be found there. That's what I was afraid, php do not «see» the mount point. Why is that and how can I fix that ?

Improve this question
6
  • What is the error returned by those PHP functions? What does PHP error log show? Commented Jul 23, 2014 at 9:52
  • I added the error log Commented Jul 23, 2014 at 9:55
  • Does this file /tmp/ydlw/pid exist in /tmp? If not, then that is the reason for the error message. Commented Jul 23, 2014 at 10:01
  • -rw-r--r-- 1 http http 343 23 juil. 10:12 /tmp/ydlw/pid Commented Jul 23, 2014 at 10:03
  • What is your Linux distribution and PHP version and where did you get PHP from? Commented Jul 23, 2014 at 14:50

2 Answers 2

Reset to default
44

I found off why, well, someone gave me the global hint.

It's neither the fault of php or tmpfs. The culprit was systemd and his security system PrivateTmp.

For those who get in the same issue that I did, the service php (and probably some others) have the PrivateTmp option to true in the systemd script (/usr/lib/systemd/system).

In that case, a new /tmp is created and isolated from the other one. All the data save inside are deleted once the service is stopped.

It's a security measure since /tmp can contain a lot a sensitive informations and php script are not always secure.

To deactivate this, simply copy the script inside /etc/systemd/system (to avoid overwriting of your changes after an update) and set PrivateTmp to false.

You can also set two or more services to share the same /tmp using JoinsNamespaceOf.

For more information > man systemd.exec

Improve this answer
2
  • 5
    Thank you for that! I spent the whole day trying to figure that out. My brain is melting off my nose for trying so hard to figure that out. Commented Jul 28, 2015 at 13:09
  • I got confused on how exactly to do the steps but this has helped me: maxoberberger.net/blog/2017/10/debian-9-private-tmp.html Commented Jun 2, 2020 at 17:11
0

I know, I'm quite late to the show, but I'm currently working on this as well, that's why I want to add an idea. Like @eephyne wrote, PrivateTmp is s security measure, to turn it off is possibly not the best choice. To overcome the problem, that one service can not access files in /tmp of another service, systemd offers the JoinsNamespaceOf= option. By using this, we can define services, that share /tmp, /var/tmp ... but are seperated from /tmp of other services.

To add JoinsNamespaceOf= to the systemd units, do not edit the unit files directly, always use systemctl edit ... to avoid confusion on OS updates.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.