[php-maint] Bug#831752: php7.0-common: improve documentation on session.gc_probability

Christoph Anton Mitterer calestyo at scientia.net
Tue Jul 19 02:29:29 UTC 2016


Package: php7.0-common
Version: 7.0.8-5
Severity: minor


Hi.

Debian's php.inis default to session.gc_probability = 0, which is,
as you surely know, because of the session dir being cleaned up
by the cron job, and the PHP code typically not having list rights
on it, causing the "well known":
>session_start(): ps_files_cleanup_dir: opendir(/var/lib/php/sessions) failed: Permission denied (13)
error message, if it the option was enabled.

Reading just the options documentation makes one easily think
that enabling this is a good idea.
Moreover, the in-file-documentation even says:
>; Default Value: 1
>; Development Value: 1
>; Production Value: 1

For the user, it may not be obvious that this is not necessary on
Debian systems, but will actually lead to errors.


Could you please consider the following:
- Another line like:
  Debian Defaul Value: 0
- Add some little clarification like:
  This is disabled per-default in Debian, as session clean up is performed by
  the cron job /etc/cron.d/php.
  If enabled nevertheless, it will require the respective session-directory
  to also have list (x) permissions for the user(s), under which PHP code runs
  that would trigger the garbage collection.
  Beware: Giving such permissions has security implications.
- Further I'd suggest that e.g. README.Debian lists all options where Debian's
  default deviate from upstreams, ideally with similar descriptions why.

Adding such clarification, especially to the INI, would help a bit against users
accidentally enabling this in good faith.


Cheers,
Chris.



More information about the pkg-php-maint mailing list