Strange behaviour with the mount namespace of Apache2 on Raspbian

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
0
down vote

favorite












I'm currently trying to understand why Apache2 (2.4.25-3+deb9u2) running on Raspbian Stretch (Linux raspberrypi 4.9.41-v7+ #1023 SMP Tue Aug 8 16:00:15 BST 2017 armv7l GNU/Linux) is having a different view on the root-mountpoint than -for example- bash.



cat /proc/PID of Apache2/mountinfo gives the following output:



129 127 179:2 / / ro,noatime shared:80 master:1 - ext4 /dev/root ro,data=ordered


cat /proc/self/mountinfo executed from bash gives the following output:



15 0 179:2 / / ro,noatime shared:1 - ext4 /dev/root ro,data=ordered


As far as I have understood the explanations from man 7 mount_namespaces, https://lwn.net/Articles/689856/, https://lwn.net/Articles/690679/ and man 5 proc the output tells me that Apache is a slave to the peer group 1. It itself created a shared peer group with ID 80.



What I don't understand is, why that happens. I thought that systemd is in control of that and so I created the file /etc/systemd/system/apache2.service with the following content:



.include /lib/systemd/system/apache2.service

[Service]
MountFlags=shared


But obviously this didn't help. There's also no difference when I remove the MountFlags line.



So next to understanding why the situation is like it is, I would like to know if there's any way to prevent Apache becoming a slave to the root mount peer group.



Furthermore, if I remount the root directory to be writeable by mount -o remount,rw / in bash, this is not propagated into the Apache2 mount namespace. Example, starting with the mountinfo from above:



# mount -o remount,rw /
# cat /proc/self/mountinfo
15 0 179:2 / / rw,noatime shared:1 - ext4 /dev/root rw,data=ordered
# cat /proc/PID of Apache2/mountinfo
129 127 179:2 / / ro,noatime shared:80 master:1 - ext4 /dev/root rw,data=ordered


Is this part of any security feature of Apache?



Update 1: If I (re)start the Apache2 service while root is mounted rw, the remounts will be propagated to the Apache2 mount namespace. Only if the Apache2 service is started while root is ro, it does not work?!




mount systemd apache-httpd raspbian




share|improve this question






















  • did you remember to do sudo systemctl daemon-reload after editing the service unit?
    – meuh
    Oct 17 '17 at 18:09










  • Yes, of course...
    – Max Senft
    Oct 19 '17 at 11:50














up vote
0
down vote

favorite












I'm currently trying to understand why Apache2 (2.4.25-3+deb9u2) running on Raspbian Stretch (Linux raspberrypi 4.9.41-v7+ #1023 SMP Tue Aug 8 16:00:15 BST 2017 armv7l GNU/Linux) is having a different view on the root-mountpoint than -for example- bash.



cat /proc/PID of Apache2/mountinfo gives the following output:



129 127 179:2 / / ro,noatime shared:80 master:1 - ext4 /dev/root ro,data=ordered


cat /proc/self/mountinfo executed from bash gives the following output:



15 0 179:2 / / ro,noatime shared:1 - ext4 /dev/root ro,data=ordered


As far as I have understood the explanations from man 7 mount_namespaces, https://lwn.net/Articles/689856/, https://lwn.net/Articles/690679/ and man 5 proc the output tells me that Apache is a slave to the peer group 1. It itself created a shared peer group with ID 80.



What I don't understand is, why that happens. I thought that systemd is in control of that and so I created the file /etc/systemd/system/apache2.service with the following content:



.include /lib/systemd/system/apache2.service

[Service]
MountFlags=shared


But obviously this didn't help. There's also no difference when I remove the MountFlags line.



So next to understanding why the situation is like it is, I would like to know if there's any way to prevent Apache becoming a slave to the root mount peer group.



Furthermore, if I remount the root directory to be writeable by mount -o remount,rw / in bash, this is not propagated into the Apache2 mount namespace. Example, starting with the mountinfo from above:



# mount -o remount,rw /
# cat /proc/self/mountinfo
15 0 179:2 / / rw,noatime shared:1 - ext4 /dev/root rw,data=ordered
# cat /proc/PID of Apache2/mountinfo
129 127 179:2 / / ro,noatime shared:80 master:1 - ext4 /dev/root rw,data=ordered


Is this part of any security feature of Apache?



Update 1: If I (re)start the Apache2 service while root is mounted rw, the remounts will be propagated to the Apache2 mount namespace. Only if the Apache2 service is started while root is ro, it does not work?!




mount systemd apache-httpd raspbian




share|improve this question






















  • did you remember to do sudo systemctl daemon-reload after editing the service unit?
    – meuh
    Oct 17 '17 at 18:09










  • Yes, of course...
    – Max Senft
    Oct 19 '17 at 11:50












up vote
0
down vote

favorite









up vote
0
down vote

favorite











I'm currently trying to understand why Apache2 (2.4.25-3+deb9u2) running on Raspbian Stretch (Linux raspberrypi 4.9.41-v7+ #1023 SMP Tue Aug 8 16:00:15 BST 2017 armv7l GNU/Linux) is having a different view on the root-mountpoint than -for example- bash.



cat /proc/PID of Apache2/mountinfo gives the following output:



129 127 179:2 / / ro,noatime shared:80 master:1 - ext4 /dev/root ro,data=ordered


cat /proc/self/mountinfo executed from bash gives the following output:



15 0 179:2 / / ro,noatime shared:1 - ext4 /dev/root ro,data=ordered


As far as I have understood the explanations from man 7 mount_namespaces, https://lwn.net/Articles/689856/, https://lwn.net/Articles/690679/ and man 5 proc the output tells me that Apache is a slave to the peer group 1. It itself created a shared peer group with ID 80.



What I don't understand is, why that happens. I thought that systemd is in control of that and so I created the file /etc/systemd/system/apache2.service with the following content:



.include /lib/systemd/system/apache2.service

[Service]
MountFlags=shared


But obviously this didn't help. There's also no difference when I remove the MountFlags line.



So next to understanding why the situation is like it is, I would like to know if there's any way to prevent Apache becoming a slave to the root mount peer group.



Furthermore, if I remount the root directory to be writeable by mount -o remount,rw / in bash, this is not propagated into the Apache2 mount namespace. Example, starting with the mountinfo from above:



# mount -o remount,rw /
# cat /proc/self/mountinfo
15 0 179:2 / / rw,noatime shared:1 - ext4 /dev/root rw,data=ordered
# cat /proc/PID of Apache2/mountinfo
129 127 179:2 / / ro,noatime shared:80 master:1 - ext4 /dev/root rw,data=ordered


Is this part of any security feature of Apache?



Update 1: If I (re)start the Apache2 service while root is mounted rw, the remounts will be propagated to the Apache2 mount namespace. Only if the Apache2 service is started while root is ro, it does not work?!




mount systemd apache-httpd raspbian




share|improve this question














I'm currently trying to understand why Apache2 (2.4.25-3+deb9u2) running on Raspbian Stretch (Linux raspberrypi 4.9.41-v7+ #1023 SMP Tue Aug 8 16:00:15 BST 2017 armv7l GNU/Linux) is having a different view on the root-mountpoint than -for example- bash.



cat /proc/PID of Apache2/mountinfo gives the following output:



129 127 179:2 / / ro,noatime shared:80 master:1 - ext4 /dev/root ro,data=ordered


cat /proc/self/mountinfo executed from bash gives the following output:



15 0 179:2 / / ro,noatime shared:1 - ext4 /dev/root ro,data=ordered


As far as I have understood the explanations from man 7 mount_namespaces, https://lwn.net/Articles/689856/, https://lwn.net/Articles/690679/ and man 5 proc the output tells me that Apache is a slave to the peer group 1. It itself created a shared peer group with ID 80.



What I don't understand is, why that happens. I thought that systemd is in control of that and so I created the file /etc/systemd/system/apache2.service with the following content:



.include /lib/systemd/system/apache2.service

[Service]
MountFlags=shared


But obviously this didn't help. There's also no difference when I remove the MountFlags line.



So next to understanding why the situation is like it is, I would like to know if there's any way to prevent Apache becoming a slave to the root mount peer group.



Furthermore, if I remount the root directory to be writeable by mount -o remount,rw / in bash, this is not propagated into the Apache2 mount namespace. Example, starting with the mountinfo from above:



# mount -o remount,rw /
# cat /proc/self/mountinfo
15 0 179:2 / / rw,noatime shared:1 - ext4 /dev/root rw,data=ordered
# cat /proc/PID of Apache2/mountinfo
129 127 179:2 / / ro,noatime shared:80 master:1 - ext4 /dev/root rw,data=ordered


Is this part of any security feature of Apache?



Update 1: If I (re)start the Apache2 service while root is mounted rw, the remounts will be propagated to the Apache2 mount namespace. Only if the Apache2 service is started while root is ro, it does not work?!





mount systemd apache-httpd raspbian





share|improve this question













share|improve this question




share|improve this question








edited Oct 16 '17 at 15:21

























asked Oct 16 '17 at 13:13









Max Senft

1234




1234











  • did you remember to do sudo systemctl daemon-reload after editing the service unit?
    – meuh
    Oct 17 '17 at 18:09










  • Yes, of course...
    – Max Senft
    Oct 19 '17 at 11:50
















  • did you remember to do sudo systemctl daemon-reload after editing the service unit?
    – meuh
    Oct 17 '17 at 18:09










  • Yes, of course...
    – Max Senft
    Oct 19 '17 at 11:50















did you remember to do sudo systemctl daemon-reload after editing the service unit?
– meuh
Oct 17 '17 at 18:09




did you remember to do sudo systemctl daemon-reload after editing the service unit?
– meuh
Oct 17 '17 at 18:09












Yes, of course...
– Max Senft
Oct 19 '17 at 11:50




Yes, of course...
– Max Senft
Oct 19 '17 at 11:50










1 Answer
1






active

oldest

votes

















up vote
0
down vote



accepted










Remove the PrivateTmp=true setting in apache2.service.



https://www.freedesktop.org/software/systemd/man/systemd.exec.html :




If true, sets up a new file system namespace for the executed processes and mounts private /tmp and /var/tmp directories inside it that is not shared by processes outside of the namespace.







share|improve this answer




















  • I already found out that solution but forgot to update this question. Sorry. But to keep the original config files original, I created the file /etc/systemd/system/apache2.service.d/config_override.conf with the line PrivateTmp=false under the [Service] group.
    – Max Senft
    Mar 17 at 14:05










Your Answer







StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
convertImagesToLinks: false,
noModals: false,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);













 

draft saved


draft discarded


















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f398408%2fstrange-behaviour-with-the-mount-namespace-of-apache2-on-raspbian%23new-answer', 'question_page');

);

Post as a guest

















1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes








up vote
0
down vote



accepted










Remove the PrivateTmp=true setting in apache2.service.



https://www.freedesktop.org/software/systemd/man/systemd.exec.html :




If true, sets up a new file system namespace for the executed processes and mounts private /tmp and /var/tmp directories inside it that is not shared by processes outside of the namespace.







share|improve this answer




















  • I already found out that solution but forgot to update this question. Sorry. But to keep the original config files original, I created the file /etc/systemd/system/apache2.service.d/config_override.conf with the line PrivateTmp=false under the [Service] group.
    – Max Senft
    Mar 17 at 14:05














up vote
0
down vote



accepted










Remove the PrivateTmp=true setting in apache2.service.



https://www.freedesktop.org/software/systemd/man/systemd.exec.html :




If true, sets up a new file system namespace for the executed processes and mounts private /tmp and /var/tmp directories inside it that is not shared by processes outside of the namespace.







share|improve this answer




















  • I already found out that solution but forgot to update this question. Sorry. But to keep the original config files original, I created the file /etc/systemd/system/apache2.service.d/config_override.conf with the line PrivateTmp=false under the [Service] group.
    – Max Senft
    Mar 17 at 14:05












up vote
0
down vote



accepted







up vote
0
down vote



accepted






Remove the PrivateTmp=true setting in apache2.service.



https://www.freedesktop.org/software/systemd/man/systemd.exec.html :




If true, sets up a new file system namespace for the executed processes and mounts private /tmp and /var/tmp directories inside it that is not shared by processes outside of the namespace.







share|improve this answer












Remove the PrivateTmp=true setting in apache2.service.



https://www.freedesktop.org/software/systemd/man/systemd.exec.html :




If true, sets up a new file system namespace for the executed processes and mounts private /tmp and /var/tmp directories inside it that is not shared by processes outside of the namespace.








share|improve this answer












share|improve this answer



share|improve this answer










answered Feb 19 at 5:32









WhiteWind

1866




1866











  • I already found out that solution but forgot to update this question. Sorry. But to keep the original config files original, I created the file /etc/systemd/system/apache2.service.d/config_override.conf with the line PrivateTmp=false under the [Service] group.
    – Max Senft
    Mar 17 at 14:05
















  • I already found out that solution but forgot to update this question. Sorry. But to keep the original config files original, I created the file /etc/systemd/system/apache2.service.d/config_override.conf with the line PrivateTmp=false under the [Service] group.
    – Max Senft
    Mar 17 at 14:05















I already found out that solution but forgot to update this question. Sorry. But to keep the original config files original, I created the file /etc/systemd/system/apache2.service.d/config_override.conf with the line PrivateTmp=false under the [Service] group.
– Max Senft
Mar 17 at 14:05




I already found out that solution but forgot to update this question. Sorry. But to keep the original config files original, I created the file /etc/systemd/system/apache2.service.d/config_override.conf with the line PrivateTmp=false under the [Service] group.
– Max Senft
Mar 17 at 14:05

















 

draft saved


draft discarded















































 


draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f398408%2fstrange-behaviour-with-the-mount-namespace-of-apache2-on-raspbian%23new-answer', 'question_page');

);

Post as a guest
































































-

Popular posts from this blog

Peggy Mitchell

Image
EastEnders character This article is about the soap opera character. For the British tennis player, see Peggy Michell. For the author, see Margaret Mitchell. Peggy Mitchell Barbara Windsor as Peggy Mitchell (2008) EastEnders character Portrayed by Jo Warne (1991) Barbara Windsor (1994–2016) Duration 1991, 1994–2010, 2013–2016 First appearance Episode 650 30 April 1991  ( 1991-04-30 ) Last appearance Episode 5286 17 May 2016  ( 2016-05-17 ) (appearance) Episode 5287 19 May 2016 (voiceover) Introduced by Michael Ferguson (1991) Barbara Emile (1994) Louise Berridge (2004) Kate Harwood (2005) Lorraine Newman (2013) Dominic Treadwell-Collins (2014) Spin-off appearances The Mitchells - Naked Truths (1998) Classification Former; regular Profile Other names Peggy Butcher Occupation Barmaid Businesswoman Pub landlady Jo Warne as Peggy Mitchell (1991) Family Family Mitchell Father Jack Martin Mother Lily Martin Sisters Aunt ...
Read more

Palaiologos

Image
Palaiologos Παλαιολόγος Palaeologus, Palaeologue Imperial Family Double-headed eagle with the family cypher Country Byzantine Empire, Duchy of Montferrat (remaining lineage after Empire annexed by Ottomans) Founded 11th century  ( 11th century ) Founder Nikephoros Palaiologos (first known) Final ruler Constantine XI Palaiologos (Byzantine Empire) Margaret Paleologa (Montferrat) Titles Byzantine Emperor Marquess of Montferrat Style(s) "Augustus" "Basileus" "Autokrator" Traditions Greek Orthodoxy (predominantly) Roman Catholicism (remaining lineage in Montferrat) Dissolution 1533  ( 1533 ) Cadet branches Claimants: House of Kastrioti (defunct) House of Rurik (defunct) Palaiologan dynasty Chronology Michael VIII 1259–1282 with Andronikos II as co-emperor, 1261–1282 Andronikos II 1282–1328 with Michael IX (1294–1320) and Andronikos III (1321–1328) as co-emperors Andronikos III 1328–1341 John...
Read more

The Forum (Inglewood, California)

Image
The Forum "LA Forum" Prairie Ave. façade of The Forum in 2014 Full name The Forum, presented by Chase Former names The Forum (1967–1988) Great Western Forum (1988–2003) Address 3900 W. Manchester Blvd Location Inglewood, California Coordinates Coordinates: 33°57′29″N 118°20′31″W  /  33.95806°N 118.34194°W  / 33.95806; -118.34194 Public transit     Downtown Inglewood station Owner The Madison Square Garden Company Operator MSG Entertainment Seating type Reserved Capacity 17,500 Half-bowl: 8,000 Construction Broke ground July 1, 1966  ( 1966-07-01 ) Opened December 30, 1967  ( 1967-12-30 ) Renovated 1988, 2012–2014 Construction cost $16 million Renovation: 2014: $76.5 million Architect Charles Luckman Associates (original) Brisbin Brook Beynon (renovation) Structural engineer Johnson & Nielsen Associates (original) Severud Associates (renovation) Genera...
Read more