Le mercredi 13 août 2008 à 12:52 +0200, Olivier Berger a écrit :
> Le mercredi 13 août 2008 à 20:06 +1000, Sven Dowideit a écrit :
> > Nico,
> >
> > /var/run - I'll keep that in mind for post lenny - I was really hoping
> > that debian had a place for this sort of session data, but didn't manage
> > to get there - thanks :)
> >
>
> Maybe there is a web apps policy to be determined here (unless it exists
> alread ?)
>
> For instance, when considering recent issues with session files in
> phpgroupware, I noticed that with php5, by default sessions may be saved
> in /var/lib/php5/. But as we needed some kind of admin management of
> sessions of users (like killing them) it led us to have them (back)
> into /var/lib/phpgroupware/sessions/. I guess I've asked for some policy
> or guidelines but got no answer.
>
> Le mercredi 13 août 2008 à 22:12 +1000, Sven Dowideit a écrit :
>
> the best irony of this bug, is :
>
> > I've implemented Joey's suggestion of 1777 & O_EXCL - mostly the files
> in tmp are written by CGI::Session, that takes care of things.
> >
> > I also moved the 1777 tmp dir back to /tmp/twiki, as per Nico's point
> wrt to filling /var
>
I'm not sure it's safe to remind old discussions about #444982 ;-), but
anyway, looks to me like the filling of /var should be avoided by TWiki
if possible, at least if we speak about temporary files that would never
be deleted (such as session files, since you don't know if the user will
continue the Web app's session, and need to keep them for some while, in
principle. Timeout may depend on apps there, however).
As I understand it, wrt session files created with CGI::Session, they
should be named in a consistent way, AFAIK ("cgisess_" prefix, if I can
trust man CGI::Session::Driver::file, and no further customizations).
Maybe a storage in some /var/[run/|tmp/|lib/twiki/tmp] (please correct
me with proper path wrt policy+FHS) and a cron script would be best ?
Like for php5 : /etc/cron.d/php5 :
09,39 * * * * root [ -x /usr/lib/php5/maxlifetime ] && [ -d
/var/lib/php5 ] && find /var/lib/php5/ -type f -cmin
+$(/usr/lib/php5/maxlifetime) -print0 | xargs -n 200 -r -0 rm
But maybe it would be best to have some policy concerning CGI:Session's
default dir and purge cronjob, and no overloading of of the default
storage path, like in :
new CGI::Session("driver:file", $sid, {Directory=>'whatever /tmp dir'});
in perl apps using it ?
Of course there may be some garbage collecting on these session files
active here (for instance in php, its deactivated by default, I think).
With respect to other temp files stored in {TempfileDir}, then I expect
them to be auto-deleted by the script which uses them, so there should
be less risks of filling /var.
I guess much of this discussion is not twiki specific and relates to use
of CGI::Session... and may apply to other web packages too... hence area
for other security checks ? (and policy ?)
My 2 cents again.
--
Olivier BERGER <[EMAIL PROTECTED]>
http://www-public.it-sudparis.eu/~berger_o/ - OpenPGP-Id: 1024D/6B829EEC
Ingénieur Recherche - Dept INF
Institut TELECOM, SudParis (http://www.it-sudparis.eu/), Evry (France)
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
