|session.save path permissions (ubuntu 10.04, PHP 5.3.2)|
Best practice for session folder permissions?
| 10:40 pm on Jul 20, 2010 (gmt 0)|
I'm running a LAMP server using PHP Version 5.3.2-1ubuntu4.2 on ubuntu 10.04. Does anyone know what the default permissions are for the session folder (defined in php.ini)? I modified these recently to 777 because of a warning I periodically received; however, this warning didn't hinder the site's functionality at all. I was reading a few articles, and a 777 permission allows for session hijacking; so I would like to revert to the original configuration. I think it was 766 from what I could remember, but setting the session folder to 766 throws the following warnings:
[Tue Jul 20 16:15:24 2010] [error] [client x.x.x.x] PHP Warning: session_start(): open(/path/to/folder/sess_neruoouifriqvrspo41hllg7m4, O_RDWR) failed: Permission denied (13) in /var/www/index.php on line 3, referer: https://www.example.com/
[Tue Jul 20 16:15:24 2010] [error] [client x.x.x.x] PHP Warning: Unknown: open(/path/to/folder/sess_neruoouifriqvrspo41hllg7m4, O_RDWR) failed: Permission denied (13) in Unknown on line 0, referer: https://www.example.com/
[Tue Jul 20 16:15:24 2010] [error] [client x.x.x.x] PHP Warning: Unknown: Failed to write session data (files). Please verify that the current setting of session.save_path is correct (/path/to/folder) in Unknown on line 0, referer: https://www.example.com/
exec('whoami'); I get
www-data. So I attempted the following:
chown root:www-data /path/to/folder -R
But still no cigar. What is the best practice for setting up php session permissions and how do I go about accomplishing that? Thank you very much for any help in this matter
| 11:29 pm on Jul 20, 2010 (gmt 0)|
Okay, so here's an update. I made www-data the owner of the folder:
chown www-data:www-data /path/to/folder -R
And set the permissions to 766.
The sessions are working again, however; I am not sure if this is best practice. Any ideas?
| 3:04 am on Jul 21, 2010 (gmt 0)|
The user under which the Apache/PHP is running should be the owner of the directory. Furthermore, because the session files in the directory may contain sensitive information, the best practice is to limit access by other users as much as possible.
In your situation where Apache is apparently running as user www-data, you can achieve that by changing the owner of the directory to www-data (which you already did) and change the permissions to 700.