packaging icon indicating copy to clipboard operation
packaging copied to clipboard

Published 20 hours ago verified publisher icon hhvm

provide way to clear up /var/lib/hhvm/sessions

Open steelbrain opened this issue 9 years ago • 5 comments

I haven't tested re-install, but on a fresh install /var/lib/hhvm and /var/lib/hhvm/sessions is not chowned to the hhvm user. This results in a permission denied error for every app that uses sessions

steelbrain avatar Jan 01 '16 08:01 steelbrain

/var/lib/hhvm/sessions is owned by root for a good reason.

The permissions of the folder are set to 01733, which is the same as php5 does (on my system):

root@bauerj ~ # ls -lh /var/lib/{php5,hhvm}
/var/lib/hhvm:
total 480K
drwx-wx-wt 2 root root 476K Jan 14 13:28 sessions/

/var/lib/php5:
total 8.0K
drwxr-xr-x 5 root root 4.0K Jun 17  2015 modules/
drwx-wx-wt 2 root root 4.0K Jan 14 13:48 sessions/

That means that anyone is actually allowed to create files inside sessions but only root can list the content of that folder (for security reasons, you don't want any user to find out your session IDs).

So I can't really reproduce the error you get on my system. Can you give a little more detail? (OS, HHVM version, the actual error message...)

bauerj avatar Jan 14 '16 12:01 bauerj

That means that anyone is actually allowed to create files inside sessions but only root can list the content of that folder (for security reasons, you don't want any user to find out your session IDs).

@bauerj This is the problem, when HHVM tries to GC sessions it gives permission denied error because it can't list the contents of that dir. I was able to repro this on a ubuntu with vanilla phpmyadmin install on the login page

steelbrain avatar Jan 14 '16 13:01 steelbrain

Okay, that makes sense :smile:

The way php handles this is that there is a cronjob that deletes old sessions.

It seems like old sessions don't even get deleted on my server (which, of course is not good).

Did you change anything in the config to trigger the garbage collection?

I think there would be two options to solve this problem:

  1. Just chown that folder to hhvm/hhvm
  2. "Steal" the cronjob approach from php

I don't know what would be better here. Any opinions about this?

bauerj avatar Jan 14 '16 13:01 bauerj

IMO HHVM is trying hard to be cross-platform and if we hard-code cron for sessions GC, we'll have to do a special case for windows. Therefore it would be nice to just chown that directory to hhvm

steelbrain avatar Jan 14 '16 13:01 steelbrain

My initial thought is document the need to do #1 or #2 as a requirement.

I'm not comfortable with doing the chown approach, due to the potentially increased risk of session stealing if there's buggy code running as the same user.

fredemmott avatar Dec 15 '17 17:12 fredemmott