value for session.save_path (/tmp) is not writable for web server :: security-risk!?

[dil_bert]

hi there - good day dear fellows, 

the topic of today: session.save_path (/tmp) is not writable for web server :: security-risk!?

I am trying to install a script on my OpenSuse Webserver, and I managed to resolve most of the errors except of one:

The value for session.save_path (/tmp) is not writable for the web server.
Make sure that PHP can actually save session variables.

 

 That seems to be the problem.
 

 

session.save_path: writeable 
You need set permission for your var directory.

 

well - i guess that the default ownership may be incorrect on the session folder: 

Example; php on some Linux-Server defaults to apache user. 

If using nginx or other need to switch the folder ownership.  Also as a note you have to change the user/group setting in www.conf.

 

chown -R root:nginx /var/lib/php/7.0/
sed -i 's/apache/nginx/g' /etc/php-fpm-7.0.d/www.conf
service php-fpm-7.0 restart

 

But wait:  what about the security - is it save to make the session.save_path writeable!?

my server-admin says that this is a big big hole and makes the server unsecure. 

love to hear from you 

yours dil_bert

by the way: years ago i have had this issue on the server. 

but the question is - is this a securitiy risk!?  I need to know this. Look forward to hear from you 

Edited March 21, 2020 by dil_bert

[gw1500se]

Check the permissions for /tmp. It should be (777):

drwxrwxrwt. 22 root root 12288 Mar 21 14:01 /tmp

Any user can write to /tmp. The 't' sticky bit handles the security issue. What ever user writes to /tmp is the only user that can access that directory/file (700) unless that user specifically chmod's something else. Also check session_save_path and its permissions.

Edited March 21, 2020 by gw1500se

[dil_bert]

hi there - good day dear gw. 

 

first of all - many many thanks for the quick reply -  we re talking about the installation of a survey-script - called limesurvey - cf. www.limesurvey.org  

i get the following complaints during the installation process -

 

and if we have a closer look at the script - (see below) then the server admin says - that this script wants to have unsecure things....

 

what do you say!? 

look forward to hear from you 

 

 

 

 

[gw1500se]

Are you installing the script as root (sudo)?

[dil_bert]

no -  it lies in the www.-directory ...

 

[gw1500se]

I'm confused. Are you installing a 3rd party application or trying to access a script from PHP that you wrote? Is this a CGI script?

[dil_bert]

hi there - good day dear GW 1500 se - 

 

many thanks for the quick reply   - i am trying to install a 3 Party application.. 

https://www.limesurvey.org

it is a survey-script which is used all over the globe  see by the way this thread...

https://www.limesurvey.org/forum/installation-a-update-issues/120432-how-to-do-a-reset-of-the-user-pass-combination#195701

look forward to hear from  you 

have a great day... and many many thanks for your continued support here. 

 

 

[dil_bert]

hi there - good day dear GW 1500 se - 

update: if we have a closer look at the image - the foto in the thread...

 

and if we think of this.. 

session_save_path ([ string $path ] ) : string

	session_save_path() gibt den Pfad des aktuellen Verzeichnisses zurück, das zum Speichern der Session-Daten verwendet wird.

	[/CODE]

[CODE]No session => no login
No session => no installation
An session.save_path not writable => No session.
[/CODE]

conclusio: 

i all ways thought that this code tests if we  can write into the php variable $_SESSION or - if we cannot do that

- and i allways thought that this is  read only
 

what do you say - !? 

 

look forward to hear from you

[gw1500se]

None of those links have installation instructions. They are just forum questions. You need to use the support link on that web site to learn how to install. This is not a PHP programming issue so this forum is not really appropriate. I know Linux but this is not even a Linux question.