• Sign in to Neowin Faster!

    Create an account on Neowin to contribute and support the site.

  • 0
Sign in to follow this  

session.save_path (/tmp) is not writable for web server :: security-risk!?

Question

tarifa    1
Posted (edited)

 
hi there - good day dear fellows, 

 


the topic of today: session.save_path (/tmp) is not writable for web server :: security-risk!?

I am trying to install a script on my OpenSuse Webserver, and I managed to resolve most of the errors except of one:

 

The value for session.save_path (/tmp) is not writable for the web server.
Make sure that PHP can actually save session variables.

 

session.save_path: writeable 
You need set permission for your var directory. 

 

That seems to be the problem. well - i guess that the default ownership may be incorrect on the session folder: 

 

Example; php on some Linux-Server defaults to apache user. 

If using nginx or other need to switch the folder ownership.  Also as a note you have to change the user/group setting in www.conf.

 

 


chown -R root:nginx /var/lib/php/7.0/
sed -i 's/apache/nginx/g' /etc/php-fpm-7.0.d/www.conf
service php-fpm-7.0 restart

 

But wait:  what about the security - is it save to make the session.save_path writeable!?

my server-admin says that this is a big big hole and makes the server unsecure. 

 

love to hear from you 

 

 

update:

 

some clearings and clearification:  -  we re talking about the installation of a survey-script - called limesurvey - cf. www.limesurvey.org  

i get the following complaints during the installation process -

 

and if we have a closer look at the script - (see below) then the server admin says - that this script wants to have unsecure things....

 

what do you say!? 

image.thumb.png.b166131c9dac2bc5641c957ea70c05bf.png

 

look forward to hear from you 

limesurvey_session1_.jpg

Edited by tarifa

Share this post


Link to post
Share on other sites

1 answer to this question

Recommended Posts

  • 0
tarifa    1

hi there - dear fellows 

 

update: if we have a closer look at the image - the foto in the thread...

 

and if we think of this.. 


session_save_path ([ string $path ] ) : string
session_save_path() gibt den Pfad des aktuellen Verzeichnisses zurück, das zum Speichern der Session-Daten verwendet wird.
[/CODE]


[CODE]No session => no login
No session => no installation
An session.save_path not writable => No session.
[/CODE]

conclusio: 

i all ways thought that this code tests if we  can write into the php variable $_SESSION or - if we cannot do that

- and i allways thought that this is  read only
 

what do you say - !? 

 

look forward to hear from you

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.