[php-maint] Bug#626640: Fwd: Bug#626640: Premature session file deletion
Ondřej Surý
ondrej at debian.org
Sat May 14 07:25:15 UTC 2011
Hi Stephane,
since you are the original reporter of the security bug in the cron.d
script, I would like to ask you for opinion on this bug.
find /var/lib/php5/ -depth -mindepth 1 -maxdepth 1 -type f -cmin
+$(/usr/lib/php5/maxlifetime) -execdir sh -c 'C=$(fuser "$0"
2>/dev/null | wc -w); [ "$C" -eq 0 ] && rm -f "$0"' {} \;
I think that it is safe to change find command line in this way, but
more eyes see more.
O.
---------- Forwarded message ----------
From: Marcus Cobden <debian-bugs at marcuscobden.co.uk>
Date: Sat, May 14, 2011 at 00:14
Subject: [php-maint] Bug#626640: Premature session file deletion
To: submit at bugs.debian.org
Package: php5-common
Version: 5.3.6-10
The crontab /etc/cron.d/php5 will, in certain circumstances,
prematurely delete session files, resulting in error messages in
scripts which were using those sessions.
Circumstances in which this might occur are:
* A script has been running longer than the configured session
maxlifetime, and still has a session open.
* A script which as resumed an existing session, but the end of the
session maxlifetime falls within the window of that script's
execution.
This is a pretty common problem, and any number of kludgy solutions
can be found in google, I didn't spot any which actually address the
cause of the problem, only workarounds.
Suggested fix:
In the crontab, replace
-delete
with
-exec sh -c 'C=`fuser "$0" 2> /dev/null | wc -w`; [ "$C" -eq 0 ] && rm
"$0"' {} \;
_______________________________________________
pkg-php-maint mailing list
pkg-php-maint at lists.alioth.debian.org
http://lists.alioth.debian.org/mailman/listinfo/pkg-php-maint
--
Ondřej Surý <ondrej at sury.org>
http://blog.rfc1925.org/
More information about the pkg-php-maint
mailing list