User Rating: 5 / 5

Star Active Star Active Star Active Star Active Star Active

This is new to me. Since CentOS 7.3, there have been some security changes. Among those changes, it is the use of the PrivateTmp flag in many services, and of course, Apache is one of them. For those who are more curious about what this flag means, here it is the manual text:

Takes a boolean argument. If true, sets up a new file system namespace for the executed processes and mounts private /tmp and /var/tmp directories inside it that is not shared by processes outside of the namespace. This is useful to secure access to temporary files of the process, but makes sharing between processes via /tmp or /var/tmp impossible. If this is enabled, all temporary files created by a service in these directories will be removed after the service is stopped. Defaults to false. It is possible to run two or more units within the same private /tmp and /var/tmp namespace by using the JoinsNamespaceOf= directive, see systemd.unit(5) for details. Note that using this setting will disconnect propagation of mounts from the service to the host (propagation in the opposite direction continues to work). This means that this setting may not be used for services which shall be able to install mount points in the main mount namespace.

I am going to explain an Issue I had with one of my customer's PBX.


One customer had a problem with a PHP code. After doing a debug, I figured out the guilty line was fopen('/tmp/prov/xxxx.txt','w´). Nothing seemed out of order, /tmp/prov/ existed, it was owned by apache and it had 777 permission. But it was still failing.

When the PrivateTmp flag is on, systemd will create a temporal directory in /var/tmp/xxxxxx. This directory is mounted internally, so in my case, the /tmp/prov/ directory never exists and the fopen instruction fails because of this.


  1. Edit your /usr/lib/systemd/system/httpd.service file and change the PrivateTmp value to false.
  2. After that execute systemctl daemon-reload.
  3. Restart the service with systemctl restart httpd

In my specific case, I created the /tmp/prov/ once and it was fixed.

Final Fix

This depends on your project. You must add some mkdir() instructions to make sure the directory structure exists before writing in it. For FusionPBX, I have put the following pull requests:

Good luck!

blog comments powered by Disqus