[php-maint] Bug#626640: Fwd: Bug#626640: Premature session file deletion
Ondřej Surý
ondrej at debian.org
Sat May 14 21:07:14 UTC 2011
Umm, too late, I have just uploaded new version of php5.
Anyway, I have updated the script in the git and it will be update to
your variant in some next upload.
O.
2011/5/14 Bob Proulx <bob at proulx.com>:
> Hi Ondřej,
>
> Ondřej Surý wrote:
>> Hi Stephane,
>>
>> since you are the original reporter of the security bug in the cron.d
>> script, I would like to ask you for opinion on this bug.
>>
>> find /var/lib/php5/ -depth -mindepth 1 -maxdepth 1 -type f -cmin
>> +$(/usr/lib/php5/maxlifetime) -execdir sh -c 'C=$(fuser "$0"
>> 2>/dev/null | wc -w); [ "$C" -eq 0 ] && rm -f "$0"' {} \;
>>
>> I think that it is safe to change find command line in this way, but
>> more eyes see more.
>
> Note that adding 'fuser' to the cron script would add a new Depends:
> to php5-common on 'psmisc'.
>
> I think it is still safer to use the -delete option within find rather
> than an external rm. I also would like to reduce the number of
> external calls to as few as possible.
>
> I don't think the stderr of fuser should be discarded. If it is
> producing errors then this is something that should be found and
> addressed. Was there a particular case you were thinking of there?
>
> How about this?
>
> find /var/lib/php5/ -depth -mindepth 1 -maxdepth 1 -type f \
> -cmin +$(/usr/lib/php5/maxlifetime) \
> -execdir sh -c 'test -z "$(fuser "$0")"' {} \; \
> -delete
>
> Here only the exit code value of the execdir is being used to decide
> whether -delete should be invoked or not.
>
> Bob
>
--
Ondřej Surý <ondrej at sury.org>
http://blog.rfc1925.org/
More information about the pkg-php-maint
mailing list