Displaying 20 results from an estimated 63 matches for "privatetmp".
2020 Nov 06
1
systemd / services / current process list
...nutes as user AppUser.
Now the problem is, that ServiceB via ps aux can't see the process of
the cron job albeit running by the same AppUser.
Which security feature of systemd can be altered to allow seeing all
or at least AppUser's processes?
ServiceA as only this "features":
PrivateTmp=true
ServiceB as only this features:
PrivateTmp=true
RuntimeDirectory=calculation
RuntimeDirectoryMode=0755
Any hints would be great!
Thanks,
Leon
2017 Nov 21
3
File access in Apache 2.4
Folks
I'm having file-access problems in Apache 2.4 under Centos 7. In particular:
- I have a file that's readable to every user and every application,
(writeable by only one user), but my CGI scripts cannot read it.
- Some of my CGI scripts need temporary storage for some files. They
are, for example, some internal log files, tnat get cleaned up over
time, but I want to be able to
2015 Apr 16
2
systemd private tmp dirs
...expected.
>> The perl code running under httpd reading what it thought was /tmp was
>> actually looking under /tmp/systemd-private-something. I'm beginning
>> to see why so much of EPEL isn't included in epel7 yet.
>
> The issue here really isn't systemd or the PrivateTmp feature but the
> fact that some applications don't properly distinguish between temporary
> files and data files.
Maybe, but if an application wants a private directory for temporary
files, shouldn't it create and manage that directory itself instead of
being second-guessed by the d...
2017 Nov 23
2
File access in Apache 2.4
On 23.11.2017 13:02, Alexander Farber wrote:
> in the /usr/lib/systemd/system/httpd.service file change PrivateTmp=true to
> PrivateTmp=false
> and then "systemctl daemon-reload" and "systemctl restart httpd"
Please don't modifications in /usr/lib/systemd/system/. System updates
will overwrite your changes.
official way is to copy the unit file to /etc/systemd/system and edit
th...
2018 Mar 28
2
[sieve][pigeonhole] Can't catch stdout for pipe script after upgrade Dovecot 2.2 -> 2.3
Hi.
I use custom script:
> require [ "vnd.dovecot.pipe", "variables" ];
>
> if address :is :all "from" "snip at snap"
> {
> ? pipe "sieve_to_owncloud";
> }
sieve_to_owncloud:
> DATE=`date +%Y-%m-%d_%H-%M-%S`
> PYTHONIOENCODING=utf8 python /opt/sieve-pipe/python-imap-to-owncloud.py \
> ? --owncloud-host
2015 Apr 16
2
systemd private tmp dirs
On Wed, Apr 15, 2015 at 9:00 PM, John R Pierce <pierce at hogranch.com> wrote:
> On 4/15/2015 6:52 PM, Les Mikesell wrote:
>>
>> Mostly I'm interested in avoiding surprises and having code that isn't
>> married to the weirdness of any particular version of any particular
>> distribution. And I found this to be pretty surprising, given that I
>> could
2019 Jan 10
3
repo.dovecot.org expired certificate
...> Description=Certbot
> Documentation=file:///usr/share/doc/python-certbot-doc/html/index.html
> Documentation=https://letsencrypt.readthedocs.io/en/latest/
> [Service]
> Type=oneshot
> ExecStart=/usr/bin/certbot -q renew --post-hook
> /etc/letsencrypt/post.hooks.d/reload
> PrivateTmp=true
>
> one would think this would work and reload nginx after the cert has
> been renewed...
>
> Aki
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://dovecot.org/pipermail/dovecot/attachments/20190110/63c108b9/attachment.html>
----...
2017 Nov 21
4
File access in Apache 2.4 (clarification)
Folks
I'm having file-access problems in Apache 2.4 under Centos 7. In particular:
- I have a file that's readable to every user and every application,
(writeable by only one user), but my CGI scripts cannot read it.
- Some of my CGI scripts need temporary storage for some files. They
are, for example, some internal log files, tnat get cleaned up over
time, but I want to be able to
2019 Apr 24
4
Systemd, PHP-FPM, and /cgi-bin scripts
CentOS 7 server and Fedora 29 dev workstation, both with PHP 7.2, Apache 2.4,
php-fpm, all updated.
I have a web-based app I've been developing for some time, and recently the
need to upload files of large size EG 1 GB or larger, has come up.
So I wrote a /cgi-bin script that works, takes the input, and even runs the
same application framework as the main application which normally
2015 Apr 16
0
systemd private tmp dirs
...e the file to /tmp as expected.
> The perl code running under httpd reading what it thought was /tmp was
> actually looking under /tmp/systemd-private-something. I'm beginning
> to see why so much of EPEL isn't included in epel7 yet.
The issue here really isn't systemd or the PrivateTmp feature but the
fact that some applications don't properly distinguish between temporary
files and data files.
Temporary files are files the application generates temporarily for
internal processing and that are not to be touched by anybody else.
If as in the twiki backup case the files generat...
2017 Nov 23
0
File access in Apache 2.4
...up over time, but I
> want to be able to look at them (as root). Where would you suggest they be
> placed? I've tried /tmp/my_private_files/, and /var/tmp/my_private_files/,
> but Apache fails to find even the directory.
>
in the /usr/lib/systemd/system/httpd.service file change PrivateTmp=true to
PrivateTmp=false
and then "systemctl daemon-reload" and "systemctl restart httpd"
Regards
Alex
2019 Apr 24
0
Systemd, PHP-FPM, and /cgi-bin scripts
...p.
Create a separate directory to share data, make sure the permissions
and SELinux attributes allow writing there. Put it in
/run/yourservice/ if you want it to be ephemeral and small.
The reason why the php-fpm service has its own private /tmp directory
is because the php-fpm.service has "PrivateTmp=true" in its [Service]
section. This creates a private /tmp namespace for the php-fpm
process, which is a good security practice.
If you absolutely must share files via /tmp, you'll have to create an
/etc/systemd/system/php-fpm.service.d/override.conf that has a
[Service] section that sa...
2020 Sep 22
1
starting stoping samba 4.11
...network-up.service
>
> [Service]
> Type=notify
> NotifyAccess=all
> LimitNOFILE=32768
> ExecStart=/usr/sbin/smbd --foreground --no-process-group
> ExecReload=/usr/bin/kill -HUP $MAINPID
> PermissionsStartOnly=true
> Restart=always
> RestartSec=1
> Nice=19
>
> PrivateTmp=yes
> PrivateDevices=yes
> ProtectKernelTunables=yes
> ProtectKernelModules=yes
> ProtectControlGroups=yes
> MemoryDenyWriteExecute=yes
> CapabilityBoundingSet=CAP_CHOWN CAP_SETGID CAP_SETUID CAP_DAC_OVERRIDE
> CAP_NET_BIND_SERVICE CAP_IPC_LOCK CAP_SYS_CHROOT
>
> SystemCa...
2018 Dec 27
4
Generating keytab on a read-only file system
...crit:
> [ -f /var/lib/samba/krb5.keytab ] || touch /var/lib/samba/krb5.keytab
>
> The empty file must be created before samba and sssd services
> launched.
Hmm, i think its good that you read:
https://www.freedesktop.org/software/systemd/man/systemd.exec.html
Check ProtectSystem= PrivateTmp= ReadWritePaths=
And basicly the sandboxing part.
>
> Btw, I have to mention that the samba packages in your repo doesn't
> work with sssd packages on Stretch. Sssd quits with segfault. Due to
> this, I switched back to the official Debian builds (4.5.12) in order
> use sss...
2020 Sep 21
4
starting stoping samba 4.11
Hello I am using samba Version 4.11.2 compiled.
To start the daemon I using
/samba10/samba-4.11.2/bin/samba -s /etc/samba/smb.conf
To stop correctly, what is recommended ?
Actually I using kill -9 ...
Regards.
2017 Nov 21
1
File access in Apache 2.4 (clarification)
...grep ramdisk
> > drwxrwxrwt 2 root root 140 Nov 21 08:35 ramdisk
> >
> > dir -l /tmp/ramdisk | grep keys.txt
> > -rw-r--r-- 1 user1 user1 11829 Nov 21 08:29 keys.txt
> >
> >
> > Any suggestions?
> >
>
>The httpd.servicce unit in c7 has:
>PrivateTmp=true
>
>Which means that Apache has its own private /tmp
>namespace. So it???s probably working, just not where you expect.
>
>
>Don???t use /tmp in CGIs.
>
>(And don???t disable selinux, particularly for web apps)
>--
>Jonathan Billings
Jonathan
Thanks for the advi...
2019 Jan 10
2
repo.dovecot.org expired certificate
Hello,
Not sure if this is the right place to post this, but the ssl
certificate of the repo.dovecot.org server expired on the 9th of January.
It's giving an error via the browser and via the apt command in Debian:
W: Failed to fetch
https://repo.dovecot.org/ce-2.3-latest/debian/jessie/dists/jessie/main/binary-amd64/Packages?
server certificate verification failed. CAfile:
2015 Apr 15
2
systemd private tmp dirs
On Wed, Apr 15, 2015 at 4:07 PM, Matthew Miller <mattdm at mattdm.org> wrote:
> On Wed, Apr 15, 2015 at 03:55:34PM -0500, Les Mikesell wrote:
>> Is there a generic way that processes written to share files with
>> (say) apache in /tmp can figure out that they are running on an OS
>> with systemd and in that case, where the daemon in question thinks
>> /tmp is?
2016 Feb 21
2
systemd changes in Git/Debian Auto-Builds
...h latest -hg and a full make
clean and new ./configure as of 30 mins ago.
This is with a raspberri pi with Raspbian 8 (all up to date).
[Service]
Type=forking
ExecStart=/usr/sbin/dovecot
PIDFile=/var/run/dovecot/dovecot/master.pid
ExecReload=/usr/bin/doveadm reload
ExecStop=/usr/bin/doveadm stop
PrivateTmp=true
NonBlocking=yes
# Enable this if your systemd is new enough to support it:
#ProtectSystem=full
I'm running ./configure with:
./configure --prefix=/usr --sysconfdir=/etc --libexecdir=/usr/lib
--localstatedir=/var --mandir=/usr/share/man --infodir=/usr/share/info
--with-moduledir=/usr/li...
2015 Apr 02
2
systemctl (again)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I've been trying to get the timidity system running as a daemon. I
wrote the following init script:
#!/bin/sh
#
# timidity
#
### BEGIN INIT INFO
# Provides: timidity
# Required-Start:
# Required-Stop:
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Add and remove timidity
# Description:
### END INIT INFO
.