Reputation: 11148

PHP session files permission

I want to use session_id($id) to replace session with existing. I moved session directory to /tmp/php_sess, and set 777 permissions for that folder.

But PHP creates session files in that folder with permission:

-rw-------

And another script (from CLI) can't read it. How to tell PHP to create files with permission for everybody (777) ?

Upvotes: 3

Answers (3)

Palec

Reputation: 13581

I think this is an instance of XY problem. I’ll try to address both the core issue and your attempted solution.

Attempted solution (Y)

Changing the permissions of your session files.

Think twice before changing the mode of session files, beware the related security pitfalls. But since you asked, let’s assume you know what you are doing.

You have three options:

Chmod the session files after creation
```
session_start();
$path = session_save_path() . '/sess_' . session_id();
chmod($path, 0640);
```
This is what you’ve done in your answer. A serious problem is that you have to add chmod call after any call to session_start(), even when it’s done inside a PEAR module or any other third party code. This is a maintenance nightmare.
Set mode in session.save_path
Preferrably in php.ini or .htaccess (via php_value session.save_path …), but if you don’t have access to any of those, you can use ini_set() directly from PHP, somewhere near the beginning of your script:
```
ini_set('session.save_path', '0;640;' . session_save_path());
```
From these three, I would choose this one because it balances complexity and cleanness very well.
Implement your own session storage
You can implement sessions however you like. In your code, you can be sure that you create the files with correct permissions.
Imagine lots of code here. Namely a class implementing SessionHandlerInterface and a call to set_session_save_handler somewhere near the beginning of your script.

The choice of mode 640 assumes that the script creating the session and the CLI script are run by users in the same group and the CLI script needs just read access. If this is not the case, use 644 (all can read), 660 (group can read and writer, others can nothing), or 666 (all can read and write). Follow the principle of least privilege. Note that process’es umask might thwart your effort – you can change it first, e. g. via umask(0022).

Actual problem (X)

Making the CLI script work.

If you run the CLI script under the same user who owns the session files, there will be no need to change their mode. Mode 600 keeps the session files’ contents safe.

If you need to be able to execute the script from another user’ account, you might want setuid or sudo, but be sure not to create the same security hole as when using higher than 600 mode.

When the CLI script really needs to run under a different user from the one creating the session, the attempted solution (changing the mode of session files) might be actually the right thing to do. I know about a website whose scripts are edited by multiple users, all in the same group. Each PHP script is executed under its owner via suphp. If one script creates a session file, scripts created (and therefore owned) by other users cannot use it. The desired permissions to make the sessions work are 660 and it is still a reasonably secure setup. Preserving the 600 mode and running the server and all the scripts under a dedicated, artificial user would be even better, still.

An earlier version of this answer compared the solutions and mentioned their up- and down-sides in detail. It also discussed the choice of appropriate mode. Its verbosity made me feel the urge to clean it up and leave only the most important pieces. You might still find it useful, though.

Upvotes: 4

Giedrius Kudelis

Reputation: 368

You could set up incron to watch the directory and on creation of file chmod it to 777. Not pretty, but effective. The config would look something like:

/tmp/php_sess IN_CREATE chmod 777 $@/$#

This would have to be in the root incron config so that commands are executed with root privileges. More info about configuration options here.

Upvotes: 1

nkuhta