Systemd Private Tmp Folders

From TheBeard Science Project Wiki
Jump to: navigation, search

In systemd, services can be configured to have a private tmp folder. This can be confusing if you don't know about it.

For example, Apache may have a private tmp folder of /tmp/systemd-private-<GIBERISH>-apache2.service-<GIBERISH>, and if you use PHP to create a file /tmp/test.txt it will actually end up in /tmp/systemd-private-<GIBERISH>-apache2.service-<GIBERISH>/tmp/test.txt.

This is configured in the service file. In Debian-based systems, it's /lib/systemd/system/SERVICENAME.service and in other systems it's /usr/lib/systemd/system/SERVICENAME.service.

This is what my Apache service file looks like: 

[Unit]
Description=The Apache HTTP Server
After=network.target remote-fs.target nss-lookup.target

[Service]
Type=forking
Environment=APACHE_STARTED_BY_SYSTEMD=true
ExecStart=/usr/sbin/apachectl start
ExecStop=/usr/sbin/apachectl stop
ExecReload=/usr/sbin/apachectl graceful
PrivateTmp=true
Restart=on-abort

[Install]
WantedBy=multi-user.target


You can see the value PrivateTmp=true configures Apache to use a private tmp. If you change that to false and restart the Apache service, then when you refer to /tmp/test.txt in PHP, it will actually be in that location in the file system.

I would avoid changing this, however, because using a private tmp is more secure. You could easily find the temp file from a bash script like this instead of referring to it directly: 

tempfile="$(find /tmp/ -name test.txt)"
Retrieved from "https://beardedmaker.com/wiki/index.php?title=Systemd_Private_Tmp_Folders&oldid=3244"