Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:57802 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 84696 invoked from network); 8 Feb 2012 23:35:45 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 8 Feb 2012 23:35:45 -0000 Authentication-Results: pb1.pair.com smtp.mail=ondrej@sury.org; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=ondrej@sury.org; sender-id=pass Received-SPF: pass (pb1.pair.com: domain sury.org designates 209.85.220.170 as permitted sender) X-PHP-List-Original-Sender: ondrej@sury.org X-Host-Fingerprint: 209.85.220.170 mail-vx0-f170.google.com Received: from [209.85.220.170] ([209.85.220.170:37417] helo=mail-vx0-f170.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 9F/00-17591-FC6033F4 for ; Wed, 08 Feb 2012 18:35:44 -0500 Received: by vcbfk13 with SMTP id fk13so855141vcb.29 for ; Wed, 08 Feb 2012 15:35:40 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sury.org; s=google; h=mime-version:from:date:message-id:subject:to:content-type :content-transfer-encoding; bh=ONGZG4LcnVSAL0jr5SgwiH6/OgePjXrNpo9xnRqtcp0=; b=PSjZTzeWVqQ3I3dnNSYG5iotNRxwmYFZRvOHteZF6KL+f+v7/0ViDzNmP2cao4r4PP ARXSueT3R1UaAIMcJsFvR5aJKFTlWXb17CoPwvhI1tqEXmLthcm/lQNoLpTa+/YLKBkG s2pFXVWpiUbSfOetjLasuQ3VTJTTHgQXghqS8= Received: by 10.52.68.241 with SMTP id z17mr7804352vdt.97.1328744140276; Wed, 08 Feb 2012 15:35:40 -0800 (PST) MIME-Version: 1.0 Received: by 10.220.7.16 with HTTP; Wed, 8 Feb 2012 15:35:19 -0800 (PST) Date: Thu, 9 Feb 2012 00:35:19 +0100 Message-ID: To: PHP internals Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Subject: Security risk how to use find recommended in php.ini-* From: ondrej@sury.org (=?UTF-8?B?T25kxZllaiBTdXLDvQ==?=) This is very wrong to recommend: ; NOTE: If you are using the subdirectory option for storing session files [...] ; =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0find /path/to/sessions -cmin +24 | xarg= s rm because it is prone to '\n' attack. You can see the security considerations of GNU find. Much better would be: find /path/to/sessions -cmin +24 -delete or at least find /path/to/sessions -cmin +24 -execdir rm "{}" \; (GNU find) The most error-prone way is something we cooked up in Debian: find /var/lib/php5/ -depth -mindepth 1 -maxdepth 1 -type f -ignore_readdir_race -cmin +24 ! -execdir fuser -s {} 2>/dev/null \; -delete which depends on fuser at least version 22.15 (which has removed fork() call which was able to swamp up whole system with zombies). The fuser call checks if the session file is still in use, because the script was deleting still active sessions opened 24+ mins ago. O. --=20 =EF=BB=BFOnd=C5=99ej Sur=C3=BD