dil_bert Posted March 21, 2020 Share Posted March 21, 2020 (edited) hi there - good day dear fellows, the topic of today: session.save_path (/tmp) is not writable for web server :: security-risk!? I am trying to install a script on my OpenSuse Webserver, and I managed to resolve most of the errors except of one: The value for session.save_path (/tmp) is not writable for the web server. Make sure that PHP can actually save session variables. That seems to be the problem. session.save_path: writeable You need set permission for your var directory. well - i guess that the default ownership may be incorrect on the session folder: Example; php on some Linux-Server defaults to apache user. If using nginx or other need to switch the folder ownership. Also as a note you have to change the user/group setting in www.conf. chown -R root:nginx /var/lib/php/7.0/ sed -i 's/apache/nginx/g' /etc/php-fpm-7.0.d/www.conf service php-fpm-7.0 restart But wait: what about the security - is it save to make the session.save_path writeable!? my server-admin says that this is a big big hole and makes the server unsecure. love to hear from you yours dil_bert by the way: years ago i have had this issue on the server. but the question is - is this a securitiy risk!? I need to know this. Look forward to hear from you Edited March 21, 2020 by dil_bert Quote Link to comment https://forums.phpfreaks.com/topic/310337-value-for-sessionsave_path-tmp-is-not-writable-for-web-server-security-risk/ Share on other sites More sharing options...
gw1500se Posted March 21, 2020 Share Posted March 21, 2020 (edited) Check the permissions for /tmp. It should be (777): drwxrwxrwt. 22 root root 12288 Mar 21 14:01 /tmp Any user can write to /tmp. The 't' sticky bit handles the security issue. What ever user writes to /tmp is the only user that can access that directory/file (700) unless that user specifically chmod's something else. Also check session_save_path and its permissions. Edited March 21, 2020 by gw1500se 1 Quote Link to comment https://forums.phpfreaks.com/topic/310337-value-for-sessionsave_path-tmp-is-not-writable-for-web-server-security-risk/#findComment-1575649 Share on other sites More sharing options...
dil_bert Posted March 21, 2020 Author Share Posted March 21, 2020 hi there - good day dear gw. first of all - many many thanks for the quick reply - we re talking about the installation of a survey-script - called limesurvey - cf. www.limesurvey.org i get the following complaints during the installation process - and if we have a closer look at the script - (see below) then the server admin says - that this script wants to have unsecure things.... what do you say!? look forward to hear from you Quote Link to comment https://forums.phpfreaks.com/topic/310337-value-for-sessionsave_path-tmp-is-not-writable-for-web-server-security-risk/#findComment-1575650 Share on other sites More sharing options...
gw1500se Posted March 21, 2020 Share Posted March 21, 2020 Are you installing the script as root (sudo)? 1 Quote Link to comment https://forums.phpfreaks.com/topic/310337-value-for-sessionsave_path-tmp-is-not-writable-for-web-server-security-risk/#findComment-1575651 Share on other sites More sharing options...
dil_bert Posted March 21, 2020 Author Share Posted March 21, 2020 no - it lies in the www.-directory ... Quote Link to comment https://forums.phpfreaks.com/topic/310337-value-for-sessionsave_path-tmp-is-not-writable-for-web-server-security-risk/#findComment-1575654 Share on other sites More sharing options...
gw1500se Posted March 21, 2020 Share Posted March 21, 2020 I'm confused. Are you installing a 3rd party application or trying to access a script from PHP that you wrote? Is this a CGI script? 1 Quote Link to comment https://forums.phpfreaks.com/topic/310337-value-for-sessionsave_path-tmp-is-not-writable-for-web-server-security-risk/#findComment-1575656 Share on other sites More sharing options...
dil_bert Posted March 21, 2020 Author Share Posted March 21, 2020 hi there - good day dear GW 1500 se - many thanks for the quick reply - i am trying to install a 3 Party application.. https://www.limesurvey.org it is a survey-script which is used all over the globe see by the way this thread... https://www.limesurvey.org/forum/installation-a-update-issues/120432-how-to-do-a-reset-of-the-user-pass-combination#195701 look forward to hear from you have a great day... and many many thanks for your continued support here. Quote Link to comment https://forums.phpfreaks.com/topic/310337-value-for-sessionsave_path-tmp-is-not-writable-for-web-server-security-risk/#findComment-1575657 Share on other sites More sharing options...
dil_bert Posted March 21, 2020 Author Share Posted March 21, 2020 hi there - good day dear GW 1500 se - update: if we have a closer look at the image - the foto in the thread... and if we think of this.. session_save_path ([ string $path ] ) : string session_save_path() gibt den Pfad des aktuellen Verzeichnisses zurück, das zum Speichern der Session-Daten verwendet wird. [/CODE] [CODE]No session => no login No session => no installation An session.save_path not writable => No session. [/CODE] conclusio: i all ways thought that this code tests if we can write into the php variable $_SESSION or - if we cannot do that - and i allways thought that this is read only what do you say - !? look forward to hear from you Quote Link to comment https://forums.phpfreaks.com/topic/310337-value-for-sessionsave_path-tmp-is-not-writable-for-web-server-security-risk/#findComment-1575658 Share on other sites More sharing options...
gw1500se Posted March 21, 2020 Share Posted March 21, 2020 None of those links have installation instructions. They are just forum questions. You need to use the support link on that web site to learn how to install. This is not a PHP programming issue so this forum is not really appropriate. I know Linux but this is not even a Linux question. Quote Link to comment https://forums.phpfreaks.com/topic/310337-value-for-sessionsave_path-tmp-is-not-writable-for-web-server-security-risk/#findComment-1575659 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.