Jump to content
#StayAtHome ×
Sign in to follow this  
dil_bert

value for session.save_path (/tmp) is not writable for web server :: security-risk!?

Recommended Posts

Posted (edited)


hi there - good day dear fellows, 


the topic of today: session.save_path (/tmp) is not writable for web server :: security-risk!?

I am trying to install a script on my OpenSuse Webserver, and I managed to resolve most of the errors except of one:

The value for session.save_path (/tmp) is not writable for the web server.
Make sure that PHP can actually save session variables.

 

 That seems to be the problem.
 

 

session.save_path: writeable 
You need set permission for your var directory.

 

well - i guess that the default ownership may be incorrect on the session folder: 

Example; php on some Linux-Server defaults to apache user. 

If using nginx or other need to switch the folder ownership.  Also as a note you have to change the user/group setting in www.conf.


 

chown -R root:nginx /var/lib/php/7.0/
sed -i 's/apache/nginx/g' /etc/php-fpm-7.0.d/www.conf
service php-fpm-7.0 restart

 

But wait:  what about the security - is it save to make the session.save_path writeable!?

my server-admin says that this is a big big hole and makes the server unsecure. 

love to hear from you 

yours dil_bert

by the way: years ago i have had this issue on the server. 

but the question is - is this a securitiy risk!?  I need to know this. Look forward to hear from you 

Edited by dil_bert

Share this post


Link to post
Share on other sites
Posted (edited)

Check the permissions for /tmp. It should be (777):

drwxrwxrwt. 22 root root 12288 Mar 21 14:01 /tmp

Any user can write to /tmp. The 't' sticky bit handles the security issue. What ever user writes to /tmp is the only user that can access that directory/file (700) unless that user specifically chmod's something else. Also check session_save_path and its permissions.

Edited by gw1500se
  • Thanks 1

Share this post


Link to post
Share on other sites

hi there - good day dear gw. 

 

first of all - many many thanks for the quick reply -  we re talking about the installation of a survey-script - called limesurvey - cf. www.limesurvey.org  

i get the following complaints during the installation process -

 

and if we have a closer look at the script - (see below) then the server admin says - that this script wants to have unsecure things....

 

what do you say!? 

look forward to hear from you 

 

 

 

 

image.png.fd5679e45ff3f8d4f45a968b1212cba8.png

limesurvey_session1_.jpg

Share this post


Link to post
Share on other sites

Are you installing the script as root (sudo)?

  • Like 1

Share this post


Link to post
Share on other sites

I'm confused. Are you installing a 3rd party application or trying to access a script from PHP that you wrote? Is this a CGI script?

  • Like 1

Share this post


Link to post
Share on other sites

hi there - good day dear GW 1500 se - 

 

many thanks for the quick reply   - i am trying to install a 3 Party application.. 

https://www.limesurvey.org

it is a survey-script which is used all over the globe  see by the way this thread...

https://www.limesurvey.org/forum/installation-a-update-issues/120432-how-to-do-a-reset-of-the-user-pass-combination#195701

look forward to hear from  you 

have a great day... and many many thanks for your continued support here. 

 

 

Share this post


Link to post
Share on other sites

hi there - good day dear GW 1500 se - 

update: if we have a closer look at the image - the foto in the thread...image.png.5bb662d15bf2d54fb79fa2aa1b681fb7.png

 

and if we think of this.. 


session_save_path ([ string $path ] ) : string
session_save_path() gibt den Pfad des aktuellen Verzeichnisses zurück, das zum Speichern der Session-Daten verwendet wird.
[/CODE]


[CODE]No session => no login
No session => no installation
An session.save_path not writable => No session.
[/CODE]

conclusio: 

i all ways thought that this code tests if we  can write into the php variable $_SESSION or - if we cannot do that

- and i allways thought that this is  read only
 

what do you say - !? 

 

look forward to hear from you

Share this post


Link to post
Share on other sites

None of those links have installation instructions. They are just forum questions. You need to use the support link on that web site to learn how to install. This is not a PHP programming issue so this forum is not really appropriate. I know Linux but this is not even a Linux question.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Sign in to follow this  

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.