Re: problem with session cleanup [message #170154 is a reply to message #170140] |
Wed, 13 October 2010 06:54 |
gordonb.sp7wo
Messages: 1 Registered: October 2010
Karma:
|
Junior Member |
|
|
> About your directory setting:
> I thought that 't' was called sticky bit. (It will appear as 's' or 'S'
> in owner or group column.)
The so-called "sticky" bit was originally named because of its
effect on executable programs, making them hang around in memory
("please cache this"). More recently, it has another use for
directories, and the original use for executable files is obsolete,
or removed entirely.
According to the FreeBSD manual pages: "A file in a sticky directory
may only be removed or renamed if the user has write permission for
the directory and the user is the owner of the file, the owner of
the directory, or the super user." This behavior is also common
to most Unix versions and Linux.
> I am not sure why your system is set up like that.
This is a reasonable setup for a temporary directory where (a)
anyone can create files, (b) anyone can delete *his own* files, (c)
snooping on other people's files is discouraged by not being able
to list them, and even if you do, you can't rename or delete them.
(Hopefully the file permissions also prohibit reading and writing
them). It also means you can't list *your own* files. Convenience
vs. security. /tmp on FreeBSD is by default mode 1777, which allows
listing files, yours and everyone else's.
Suggested fixes (pick one or more), as the poster I'm following up
suggested:
- Make the owner of the directory the user that PHP (and Apache) runs as.
e.g. chown apache session_dir
- Put back read permission for everyone
e.g. chmod 1777 session_dir
There's minimal but not zero security risk by leaking file names,
owners (mostly PHP's user anyway), and sizes of files.
- If this directory is used *only* for session data and there is
no reason for other users to access it (such as site owners using
FTP under their own user id, or CGIs running under Apache's suexec),
make it owned by the user that PHP runs as and accessable only
by that user
e.g. chown apache session_dir; chmod 700 session_dir
> What you want is this:
> Have a session directory that is:
> - readable (listable) and
> - writable (and thus deletable)
> for the relevant user.
> The relevant user is the one that your webserver (apache) uses.
> On most systems that user is called 'www-data' or 'apache'. (I also saw
> 'nobody' a few times.)
>
> How to fix it?
> Disclaimer: I have no clue WHY your system is set up like that. Possibly
> there is a some good reason I am unaware of. But since this isn't
> working I doubt it is a good reason. ;-)
For /tmp, but *not* a session directory, many shell scripts create
files there and delete them by name (.e.g /tmp/$$.tmp, where $$ is
substituted by the shell as the process id, so two shell scripts will
use unique names), they don't need to list the names in /tmp. On
the other hand, a script writer can't tell if he's forgetting to delete
one of the temporary files.
> Maybe ask in an Ubuntu forum?
>
> This is how I set up my rights on session storage directories:
> [Assuming user www-data]
>
> d rwx --- --- www-data www-data mysessionstoragedir
>
> So that is full rights for the owner www-data on the sessiondir.
Looks good to me.
/tmp makes a lousy session directory. Having it as a default makes
sense only because it's one of a few directories you can count on
actually existing. Also, if PHP's probabalistic deletion isn't
getting rid of stale data fast enough, a stopgap shell script run
from cron to get rid of anything older than, say, 2 weeks can make
sure it's gone, without having to figure out whether it's a session
or something else.
|
|
|