[php-maint] Bug#626640: Fwd: Bug#626640: Premature session file deletion

Bob Proulx bob at proulx.com
Sat May 14 20:43:42 UTC 2011

Hi Ondřej,

Ondřej Surý wrote:
> Hi Stephane,
> since you are the original reporter of the security bug in the cron.d
> script, I would like to ask you for opinion on this bug.
> find /var/lib/php5/ -depth -mindepth 1 -maxdepth 1 -type f -cmin
> +$(/usr/lib/php5/maxlifetime) -execdir sh -c 'C=$(fuser "$0"
> 2>/dev/null | wc -w); [ "$C" -eq 0 ] && rm -f "$0"' {} \;
> I think that it is safe to change find command line in this way, but
> more eyes see more.

Note that adding 'fuser' to the cron script would add a new Depends:
to php5-common on 'psmisc'.

I think it is still safer to use the -delete option within find rather
than an external rm.  I also would like to reduce the number of
external calls to as few as possible.

I don't think the stderr of fuser should be discarded.  If it is
producing errors then this is something that should be found and
addressed.  Was there a particular case you were thinking of there?

How about this?

  find /var/lib/php5/ -depth -mindepth 1 -maxdepth 1 -type f \
    -cmin +$(/usr/lib/php5/maxlifetime) \
    -execdir sh -c 'test -z "$(fuser "$0")"' {} \; \

Here only the exit code value of the execdir is being used to decide
whether -delete should be invoked or not.


More information about the pkg-php-maint mailing list