(U)Mounting through "exec" with "sudo". The user is a "sudoer" with NOPASSWD

StackOverflow https://stackoverflow.com/questions/19598201

Question

I've already taken a look at both of these:

But, my problem appears to be different.

I have built an extensive library that's used to call Linux CLI tools. It's built around proc_open, it's family and POSIX.

I'm using it to successfully execute all (until I hit this mount/umount bug) CLI tools.

Now, I'm building a RAID setup routine, that involves partprobe, parted - rm, mklabel, mkpart, mdadm - stop, zero-superblock, create, dd, mkfs and ultimately mount/umount.

There are actually two graceful routines, one for assembling the RAID, the other one for disassembly.

As the title says, the problem relies in mount and umount. The other tools and their commands listed above execute successfully.

Environment

Arch Linux - Linux stone 3.11.6-1-ARCH #1 SMP PREEMPT Fri Oct 18 23:22:36 CEST 2013 x86_64 GNU/Linux.

The Arch is running with systemd - might be that is somehow affecting the mounting.

An Apache web server (latest), that runs mod_php (latest). Apache is run as http:http.

http is in wheel group, and wheels are sudoers - %wheel ALL=(ALL) NOPASSWD: ALL.
Please, don't start the webserver being given a full root capabilities discussion - the unit is a NAS, it's running a custom WebOS, and it's meant for intranet only. Even if there are hacking attempts - those will, most probably, break the whole system and that's not healthy for the customer. The NAS is a storage for Mobotix IP cameras, it runs a load of dependent services and the units are already deployed in over 30 objects with no issues. In short, the webserver is not serving a web, but an OS.

Before writing, I added, for a quick test, http explicitly to sudoers - http ALL=(ALL) NOPASSWD: ALL - didn't work.

Problem

The last command run in the RAID assembly process is mount /dev/md/stone\:supershare /mnt/supershare, which returns with an exit code of 0.

Performing a subsequent mount results in: 

mount: /dev/md127 is already mounted or /mnt/supershare busy
/dev/md127 is already mounted on /mnt/supershare

with an exit code of 32. So, the array is mounted somewhere.

Performing an umount /dev/md/stone\:supershare afterwards the above mount, returns with an exit code of 0. Performing an subsequent umount results in:

umount: /dev/md/stone:supershare: not mounted

The commands above are auto-run with sudo.

So, it's mounted successfully and unmounted sucessfully, but... I'm logged in as root on TTY0, running lsblk after having performed the mount operation, yet, I do not see the mountpoint:

NAME      MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINT
sda         8:0    0  55.9G  0 disk
├─sda1      8:1    0     1M  0 part
├─sda2      8:2    0     1G  0 part  [SWAP]
├─sda3      8:3    0    12G  0 part  /
└─sda4      8:4    0  16.6G  0 part  /home
sdb         8:16   0 931.5G  0 disk
└─sdb1      8:17   0   899M  0 part
  └─md127   9:127  0   1.8G  0 raid0
sdc         8:32   0 931.5G  0 disk
└─sdc1      8:33   0   899M  0 part
  └─md127   9:127  0   1.8G  0 raid0

Attempting the same mount command from TTY0 mounts it successfully (lsblk displays after).

If I mount it with my CLI tool, then run mount -l and lsblk also with the CLI tool, the mountpoint is visible.

Running immediately both commands from TTY0 as root, do not display the mountpoint.

Rebooting, to reset all mounts (not automounted), then, mounting from TTY0 and running lsblk from TTY0 displays the mountpoint.

Then, running lsblk with CLI tool, displays the mountpoint.

Then, running umount with CLI tool, exit code 0 - unmounted.

Running lsblk with CLI tool again, does not display the mountpoint.

Running lsblk from TTY0, still does display the mountpoint.

It appears that when the mount/umount is run with my CLI tool, it executes the commands privately for the sudo session runner.

umounting after TTY0 has mounted, does unmount it, but again - privately.

Logging in from TTY0 as http and running lsblk after having mounted the RAID from CLI tool, the mountpoint is not displayed. This kind of negates the "executes privately for the sudo session runner".

I've also found a material in IBM's:

The mount command uses the real user ID, not the effective user ID, to determine if the user has appropriate access. System group members can issue device mounts, provided they have write access to the mount point and those mounts specified in the /etc/file systems file. Users with root user authority can issue any mount command.

I hope I've explained good enough and not too confusing, I also hope that you guys will be able to help me catch the issue here.

Update (2013-10-28)

I attempted a test with the CLI tool outside web context, a simple PHP file, that'd I exec with root and a custom user.

In both scenarios, the mounting and unmounting was successful. So, it must be something with Apache executing the commands, though, I don't understand why do other commands work.

Question

What is causing the issue, and how do I overcome it?

Was it helpful?

Solution

In short, the hassle has been resolved.

It was the Apache's corresponding systemd service, that had PrivateTmp=true directive. Apparently, the directive executes the process with a new file system namespace.

This question, while attempting to debug and fix the issue spawned a numerous other posts around the internet.

  1. https://unix.stackexchange.com/questions/97897/sudo-mount-from-webserver-apache-by-mod-php-result-not-visible-by-root
  2. https://bbs.archlinux.org/viewtopic.php?id=172072
  3. https://unix.stackexchange.com/questions/98182/a-process-run-as-root-when-performing-mount-is-mounting-for-self-how-to-ma/98191#98191

Each derived from stuff I've learn in the process.

I started with getting deeper information about mount working on EUID. Soon, I found out that my simple sudo call is actually not executing with EUID 0. That led me to multiple queries on how to do so, that in return spawned command syntax like sudo -i 'su' -c 'mount /dev/sdb1 /mnt/firstone' and other derivatives.

Having no success with the solution, I looked further.

I started to think of trying to add the entry to /etc/fstab, that led me to loads of permission issues. Also, sudo and my CLI tool proved to be incomplete for the task. Lets bring the big weapons - lets compile Apache with -DBIG_SECURITY_HOLE, also known as, give Apache the possibility to be run as root.

Lets append entry to the tab, lets attempt to mount... and... fail!

After numerous tests, queries and what not, I stumbled upon per process mount that led me here and opened the dimension of namespaces to me.

Okay, that explains everything - checking /proc/<pid>/mounts validates it, now, lets gnaw deeper and see how to overcome it.

Again, after numerous attempts and no success, I started posting questions based around my fresh knowledge of namespaces. Narrowing the questions down and becoming more technical (at least I think I did), that eventually led to a user hiciu who pointed me into systemd direction, specifically, Apaches service - PrivateTmp.

Voila! ...apparently systemd can enforce new namespaces.

OTHER TIPS

I had the same strange behavior of apache and spent more than 3 days without any working solution. Then luckyly I found this post and as you described PrivateTmp caused the issue. In my case, I tried to mount a drive from php:

<?php
...
exec("sudo mount /dev/sda1 /mnt/drive", $output, $ret);
...
?>

When I ran above code from web browser, exec function return 0 (success) and I was even abble to list thru mapped drive within the code:

exec("ls /mnt/drive", $o, $r);
foreach ($o as $line){
  echo $line.'<BR>';
}

But when I tried search for mapped drive from cli, I cannot see it. I tried everything, include change permissions, change php.ini etc. Nothing help. Until now, changing 

PrivateTmp=false

in

/lib/systemd/system/apache2.service

does the trick. Thank you very much for sharing!

It was searching for this and is looks like this behavior is implemented and detectable from php via chroot:

 system('ischroot;echo $?');

gives 0 with the setting PrivateTmp=true (saying 'you are in a chroot') and 1 with PrivateTemp=false.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top