[php-maint] Bug#626640: Fwd: Bug#626640: Premature session file deletion

Ondřej Surý ondrej at debian.org
Sat May 14 21:07:14 UTC 2011

Umm, too late, I have just uploaded new version of php5.

Anyway, I have updated the script in the git and it will be update to
your variant in some next upload.


2011/5/14 Bob Proulx <bob at proulx.com>:
> Hi Ondřej,
> Ondřej Surý wrote:
>> Hi Stephane,
>> since you are the original reporter of the security bug in the cron.d
>> script, I would like to ask you for opinion on this bug.
>> find /var/lib/php5/ -depth -mindepth 1 -maxdepth 1 -type f -cmin
>> +$(/usr/lib/php5/maxlifetime) -execdir sh -c 'C=$(fuser "$0"
>> 2>/dev/null | wc -w); [ "$C" -eq 0 ] && rm -f "$0"' {} \;
>> I think that it is safe to change find command line in this way, but
>> more eyes see more.
> Note that adding 'fuser' to the cron script would add a new Depends:
> to php5-common on 'psmisc'.
> I think it is still safer to use the -delete option within find rather
> than an external rm.  I also would like to reduce the number of
> external calls to as few as possible.
> I don't think the stderr of fuser should be discarded.  If it is
> producing errors then this is something that should be found and
> addressed.  Was there a particular case you were thinking of there?
> How about this?
>  find /var/lib/php5/ -depth -mindepth 1 -maxdepth 1 -type f \
>    -cmin +$(/usr/lib/php5/maxlifetime) \
>    -execdir sh -c 'test -z "$(fuser "$0")"' {} \; \
>    -delete
> Here only the exit code value of the execdir is being used to decide
> whether -delete should be invoked or not.
> Bob

Ondřej Surý <ondrej at sury.org>

More information about the pkg-php-maint mailing list