ProtectHome=read-only Apache service setting affects PassengerAppLogFile directive behavior on RHEL10 #2631
Description
Hi guys!
RHEL10 introduced some hardening options all over the distro. The details are here.
This includes httpd.service file where we now have ProtectHome=read-only.
This makes systemd to create a mount namespace and remount /home with ro option.
Passenger is running in the same namespace as httpd, so the same restrictions is applied to it.
As a result, any application that stores document root in /home will not be able to write there: upload files, change configs, etc.
The document root in user home is a common thing on Shared Hosting servers.
My question is, what's your opinion on this?
Is this systemd directive valuable enough to keep it enabled?
Would you like to provide some guidelines how to configure Passenger with new httpd hardening?
UPD: I updated the text to focus on one thing only - the generic effect of this directive.