Hi,
This is a bit of-topic, but since it has to do with /tmp permissions here it goes. Anyway, I'm sorry in advance for posting this.
I have this PHP script (simplificated here), called delete_tmp.php that basically calls external commands:
<?php
$session_file = '/tmp/sess_89765'
system(''rm -f' . ' ' . $session_file);
?>
delete_tmp.php file is owned by gamito.users
/tmp/sess_89765 file has permissions -rw------ and is owned by gamito.users
My /tmp permissions are rwxrwxrwt and is owned by root.root
I know that the the sticky bit only allows files to be deleted by their owners, the owner of the directory or by root.
Never the less, i can switch to /tmp directory and delete sess_89765 file as user gamito.
If I run: $ php delete_tmp.php
as root, it deletes sess_89765 file.
But if I do the same has user gamito, it doesn't delete the file !!!
Ideas ?
Any help would be appreciated.
Warm Regards, Mário Gamito
Mário Gamito wrote:
Hi,
This is a bit of-topic, but since it has to do with /tmp permissions here it goes. Anyway, I'm sorry in advance for posting this.
I have this PHP script (simplificated here), called delete_tmp.php that basically calls external commands:
<?php $session_file = '/tmp/sess_89765' system(''rm -f' . ' ' . $session_file); ?>
delete_tmp.php file is owned by gamito.users
/tmp/sess_89765 file has permissions -rw------ and is owned by gamito.users
My /tmp permissions are rwxrwxrwt and is owned by root.root
I know that the the sticky bit only allows files to be deleted by their owners, the owner of the directory or by root.
Never the less, i can switch to /tmp directory and delete sess_89765 file as user gamito.
If I run: $ php delete_tmp.php
as root, it deletes sess_89765 file.
But if I do the same has user gamito, it doesn't delete the file !!!
Ideas ?
PHP, being run from the web interface, is run as whatever ID Apache is run as. Apache is not user gamito. On a file with -rw------ permission users in the group will not be allowed to delete the file.
Neil Cherry wrote on Fri, 28 Mar 2008 11:52:06 -0400:
PHP, being run from the web interface,
he's not running it via web. And he should be getting some error and I expect him to tell us about errors if there are. But he surely *intends* to run it later from the web. Where I don't see much use in it. PHP cleans up the sessions after itself and it should be configured to not place all the sessions in /tmp anyway.
Kai
-
Kai Schaetzl -
Mário Gamito -
Neil Cherry