Skip to content
This repository has been archived by the owner on Aug 31, 2023. It is now read-only.

provide way to clear up /var/lib/hhvm/sessions #139

Open
steelbrain opened this issue Jan 1, 2016 · 5 comments
Open

provide way to clear up /var/lib/hhvm/sessions #139

steelbrain opened this issue Jan 1, 2016 · 5 comments

Comments

@steelbrain
Copy link

I haven't tested re-install, but on a fresh install /var/lib/hhvm and /var/lib/hhvm/sessions is not chowned to the hhvm user. This results in a permission denied error for every app that uses sessions
@bauerj
Copy link
Contributor

bauerj commented Jan 14, 2016

/var/lib/hhvm/sessions is owned by root for a good reason.

The permissions of the folder are set to 01733, which is the same as php5 does (on my system):

root@bauerj ~ # ls -lh /var/lib/{php5,hhvm}
/var/lib/hhvm:
total 480K
drwx-wx-wt 2 root root 476K Jan 14 13:28 sessions/

/var/lib/php5:
total 8.0K
drwxr-xr-x 5 root root 4.0K Jun 17  2015 modules/
drwx-wx-wt 2 root root 4.0K Jan 14 13:48 sessions/

That means that anyone is actually allowed to create files inside sessions but only root can list the content of that folder (for security reasons, you don't want any user to find out your session IDs).

So I can't really reproduce the error you get on my system. Can you give a little more detail? (OS, HHVM version, the actual error message...)

@steelbrain
Copy link
Author

That means that anyone is actually allowed to create files inside sessions but only root can list the content of that folder (for security reasons, you don't want any user to find out your session IDs).

@bauerj This is the problem, when HHVM tries to GC sessions it gives permission denied error because it can't list the contents of that dir. I was able to repro this on a ubuntu with vanilla phpmyadmin install on the login page

@bauerj
Copy link
Contributor

bauerj commented Jan 14, 2016

Okay, that makes sense 😄

The way php handles this is that there is a cronjob that deletes old sessions.

It seems like old sessions don't even get deleted on my server (which, of course is not good).

Did you change anything in the config to trigger the garbage collection?

I think there would be two options to solve this problem:

  1. Just chown that folder to hhvm/hhvm
  2. "Steal" the cronjob approach from php

I don't know what would be better here. Any opinions about this?

@steelbrain
Copy link
Author

IMO HHVM is trying hard to be cross-platform and if we hard-code cron for sessions GC, we'll have to do a special case for windows. Therefore it would be nice to just chown that directory to hhvm

@fredemmott fredemmott changed the title /var/lib/hhvm is not chowned to hhvm user provide way to clear up /var/lib/hhvm/sessions Dec 15, 2017
@fredemmott
Copy link
Contributor

My initial thought is document the need to do #1 or #2 as a requirement.

I'm not comfortable with doing the chown approach, due to the potentially increased risk of session stealing if there's buggy code running as the same user.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@fredemmott @bauerj @steelbrain