search for: privatetmp

...nutes as user AppUser. Now the problem is, that ServiceB via ps aux can't see the process of the cron job albeit running by the same AppUser. Which security feature of systemd can be altered to allow seeing all or at least AppUser's processes? ServiceA as only this "features": PrivateTmp=true ServiceB as only this features: PrivateTmp=true RuntimeDirectory=calculation RuntimeDirectoryMode=0755 Any hints would be great! Thanks, Leon

Folks I'm having file-access problems in Apache 2.4 under Centos 7. In particular: - I have a file that's readable to every user and every application, (writeable by only one user), but my CGI scripts cannot read it. - Some of my CGI scripts need temporary storage for some files. They are, for example, some internal log files, tnat get cleaned up over time, but I want to be able to

...expected. >> The perl code running under httpd reading what it thought was /tmp was >> actually looking under /tmp/systemd-private-something. I'm beginning >> to see why so much of EPEL isn't included in epel7 yet. > > The issue here really isn't systemd or the PrivateTmp feature but the > fact that some applications don't properly distinguish between temporary > files and data files. Maybe, but if an application wants a private directory for temporary files, shouldn't it create and manage that directory itself instead of being second-guessed by the d...

On 23.11.2017 13:02, Alexander Farber wrote: > in the /usr/lib/systemd/system/httpd.service file change PrivateTmp=true to > PrivateTmp=false > and then "systemctl daemon-reload" and "systemctl restart httpd" Please don't modifications in /usr/lib/systemd/system/. System updates will overwrite your changes. official way is to copy the unit file to /etc/systemd/system and edit th...

Hi. I use custom script: > require [ "vnd.dovecot.pipe", "variables" ]; > > if address :is :all "from" "snip at snap" > { > ? pipe "sieve_to_owncloud"; > } sieve_to_owncloud: > DATE=`date +%Y-%m-%d_%H-%M-%S` > PYTHONIOENCODING=utf8 python /opt/sieve-pipe/python-imap-to-owncloud.py \ > ? --owncloud-host

On Wed, Apr 15, 2015 at 9:00 PM, John R Pierce <pierce at hogranch.com> wrote: > On 4/15/2015 6:52 PM, Les Mikesell wrote: >> >> Mostly I'm interested in avoiding surprises and having code that isn't >> married to the weirdness of any particular version of any particular >> distribution. And I found this to be pretty surprising, given that I >> could

...> Description=Certbot > Documentation=file:///usr/share/doc/python-certbot-doc/html/index.html > Documentation=https://letsencrypt.readthedocs.io/en/latest/ > [Service] > Type=oneshot > ExecStart=/usr/bin/certbot -q renew --post-hook > /etc/letsencrypt/post.hooks.d/reload > PrivateTmp=true > > one would think this would work and reload nginx after the cert has > been renewed... > > Aki > -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20190110/63c108b9/attachment.html> ----...

Folks I'm having file-access problems in Apache 2.4 under Centos 7. In particular: - I have a file that's readable to every user and every application, (writeable by only one user), but my CGI scripts cannot read it. - Some of my CGI scripts need temporary storage for some files. They are, for example, some internal log files, tnat get cleaned up over time, but I want to be able to

CentOS 7 server and Fedora 29 dev workstation, both with PHP 7.2, Apache 2.4, php-fpm, all updated. I have a web-based app I've been developing for some time, and recently the need to upload files of large size EG 1 GB or larger, has come up. So I wrote a /cgi-bin script that works, takes the input, and even runs the same application framework as the main application which normally

...e the file to /tmp as expected. > The perl code running under httpd reading what it thought was /tmp was > actually looking under /tmp/systemd-private-something. I'm beginning > to see why so much of EPEL isn't included in epel7 yet. The issue here really isn't systemd or the PrivateTmp feature but the fact that some applications don't properly distinguish between temporary files and data files. Temporary files are files the application generates temporarily for internal processing and that are not to be touched by anybody else. If as in the twiki backup case the files generat...

...up over time, but I > want to be able to look at them (as root). Where would you suggest they be > placed? I've tried /tmp/my_private_files/, and /var/tmp/my_private_files/, > but Apache fails to find even the directory. > in the /usr/lib/systemd/system/httpd.service file change PrivateTmp=true to PrivateTmp=false and then "systemctl daemon-reload" and "systemctl restart httpd" Regards Alex

...p. Create a separate directory to share data, make sure the permissions and SELinux attributes allow writing there. Put it in /run/yourservice/ if you want it to be ephemeral and small. The reason why the php-fpm service has its own private /tmp directory is because the php-fpm.service has "PrivateTmp=true" in its [Service] section. This creates a private /tmp namespace for the php-fpm process, which is a good security practice. If you absolutely must share files via /tmp, you'll have to create an /etc/systemd/system/php-fpm.service.d/override.conf that has a [Service] section that sa...

...network-up.service > > [Service] > Type=notify > NotifyAccess=all > LimitNOFILE=32768 > ExecStart=/usr/sbin/smbd --foreground --no-process-group > ExecReload=/usr/bin/kill -HUP $MAINPID > PermissionsStartOnly=true > Restart=always > RestartSec=1 > Nice=19 > > PrivateTmp=yes > PrivateDevices=yes > ProtectKernelTunables=yes > ProtectKernelModules=yes > ProtectControlGroups=yes > MemoryDenyWriteExecute=yes > CapabilityBoundingSet=CAP_CHOWN CAP_SETGID CAP_SETUID CAP_DAC_OVERRIDE > CAP_NET_BIND_SERVICE CAP_IPC_LOCK CAP_SYS_CHROOT > > SystemCa...

...crit: > [ -f /var/lib/samba/krb5.keytab ] || touch /var/lib/samba/krb5.keytab > > The empty file must be created before samba and sssd services > launched. Hmm, i think its good that you read: https://www.freedesktop.org/software/systemd/man/systemd.exec.html Check ProtectSystem= PrivateTmp= ReadWritePaths= And basicly the sandboxing part. > > Btw, I have to mention that the samba packages in your repo doesn't > work with sssd packages on Stretch. Sssd quits with segfault. Due to > this, I switched back to the official Debian builds (4.5.12) in order > use sss...

Hello I am using samba Version 4.11.2 compiled. To start the daemon I using /samba10/samba-4.11.2/bin/samba -s /etc/samba/smb.conf To stop correctly, what is recommended ? Actually I using kill -9 ... Regards.

...grep ramdisk > > drwxrwxrwt 2 root root 140 Nov 21 08:35 ramdisk > > > > dir -l /tmp/ramdisk | grep keys.txt > > -rw-r--r-- 1 user1 user1 11829 Nov 21 08:29 keys.txt > > > > > > Any suggestions? > > > >The httpd.servicce unit in c7 has: >PrivateTmp=true > >Which means that Apache has its own private /tmp >namespace. So it???s probably working, just not where you expect. > > >Don???t use /tmp in CGIs. > >(And don???t disable selinux, particularly for web apps) >-- >Jonathan Billings Jonathan Thanks for the advi...

Hello, Not sure if this is the right place to post this, but the ssl certificate of the repo.dovecot.org server expired on the 9th of January. It's giving an error via the browser and via the apt command in Debian: W: Failed to fetch https://repo.dovecot.org/ce-2.3-latest/debian/jessie/dists/jessie/main/binary-amd64/Packages? server certificate verification failed. CAfile:

On Wed, Apr 15, 2015 at 4:07 PM, Matthew Miller <mattdm at mattdm.org> wrote: > On Wed, Apr 15, 2015 at 03:55:34PM -0500, Les Mikesell wrote: >> Is there a generic way that processes written to share files with >> (say) apache in /tmp can figure out that they are running on an OS >> with systemd and in that case, where the daemon in question thinks >> /tmp is?

...h latest -hg and a full make clean and new ./configure as of 30 mins ago. This is with a raspberri pi with Raspbian 8 (all up to date). [Service] Type=forking ExecStart=/usr/sbin/dovecot PIDFile=/var/run/dovecot/dovecot/master.pid ExecReload=/usr/bin/doveadm reload ExecStop=/usr/bin/doveadm stop PrivateTmp=true NonBlocking=yes # Enable this if your systemd is new enough to support it: #ProtectSystem=full I'm running ./configure with: ./configure --prefix=/usr --sysconfdir=/etc --libexecdir=/usr/lib --localstatedir=/var --mandir=/usr/share/man --infodir=/usr/share/info --with-moduledir=/usr/li...

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I've been trying to get the timidity system running as a daemon. I wrote the following init script: #!/bin/sh # # timidity # ### BEGIN INIT INFO # Provides: timidity # Required-Start: # Required-Stop: # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: Add and remove timidity # Description: ### END INIT INFO .