[php-maint] Bug#626640: Fwd: Bug#626640: Premature session file deletion

Ondřej Surý ondrej at debian.org
Sat May 14 07:25:15 UTC 2011

Hi Stephane,

since you are the original reporter of the security bug in the cron.d
script, I would like to ask you for opinion on this bug.

find /var/lib/php5/ -depth -mindepth 1 -maxdepth 1 -type f -cmin
+$(/usr/lib/php5/maxlifetime) -execdir sh -c 'C=$(fuser "$0"
2>/dev/null | wc -w); [ "$C" -eq 0 ] && rm -f "$0"' {} \;

I think that it is safe to change find command line in this way, but
more eyes see more.


---------- Forwarded message ----------
From: Marcus Cobden <debian-bugs at marcuscobden.co.uk>
Date: Sat, May 14, 2011 at 00:14
Subject: [php-maint] Bug#626640: Premature session file deletion
To: submit at bugs.debian.org

Package: php5-common
Version: 5.3.6-10

The crontab /etc/cron.d/php5 will, in certain circumstances,
prematurely delete session files, resulting in error messages in
scripts which were using those sessions.

Circumstances in which this might occur are:
* A script has been running longer than the configured session
maxlifetime, and still has a session open.
* A script which as resumed an existing session, but the end of the
session maxlifetime falls within the window of that script's

This is a pretty common problem, and any number of kludgy solutions
can be found in google, I didn't spot any which actually address the
cause of the problem, only workarounds.

Suggested fix:
In the crontab, replace



-exec sh -c 'C=`fuser "$0" 2> /dev/null | wc -w`; [ "$C" -eq 0 ] && rm
"$0"' {} \;

pkg-php-maint mailing list
pkg-php-maint at lists.alioth.debian.org

Ondřej Surý <ondrej at sury.org>

More information about the pkg-php-maint mailing list