[BUG] Write permissions to tmp folder

Discussion in 'Installation/Configuration' started by gring, Nov 26, 2014.

  1. gring

    gring Member

    Hi, I'm using, so sorry if this has been solved in p5 (will update tonight).

    When creating a website, php sessions won't work because the tmp directory doesn't have the write permissions for everybody.

     PHP Warning:  session_start(): open(/data/sites/clients/client12/web71/tmp/sess_5o892q2ubbn34td26rdsbh66d4, O_RDWR) failed: Permission denied (13) in ...
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    The temp directory may not have write permissions for everybody and writing to website tmp works fine here in p4.

    Just a guess, you changed php mode of the site or switched on / off suexec without closing a browser window that has this site open. What happens then is that php tries to reuse a session file that it has written under a different user before. Change permission of the tmp folder back, then close your browser and open it again so php creates a new session.
  3. gring

    gring Member

    I was using Adminer on a fresh site with mod_php (suexec switched off).

    the tmp directory belongs to web71:client12

    the sessions files are created by the http server (www-data:www-data).
    How could it create them if it doesn't write authorisation for the tmp folder ?
    Last edited: Nov 26, 2014
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    mod_php should not be used anymore it allows a hacker (or client that want to harm you) to go from one site to all other sites easily as it runs all sites under the same user, please switch the site to either php-fpm or php-fcgi and switch suexec on (see ispconfig manual for details on ecommended php versions). If you really want to use mod_php, then you have to replace the normal apache with a version that uses the mpm-itk module.
  5. gring

    gring Member

    Thanks, I wasn't aware of that.

    Sites created with previous ispconfig versions and mod_php had indeed 777 authorisations on the tmp folder.
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    You might also want to check that the security mode under System > server config > web is set to high.
  7. gring

    gring Member

    Switching to PHP-FHM gives the following error :

    (13)Permission denied: FastCGI: failed to connect to server "/data/sites/clients/client12/web71/cgi-bin/php5-fcgi-*-80-<host>": connect() failed
    FastCGI: incomplete headers (0 bytes) received from server "/data/sites/clients/client12/web71/cgi-bin/php5-fcgi-*-80-<host>"
    And since mod-php is still availlable, is there really a good reason to restrict write to the tmp directory ?
    Last edited: Nov 26, 2014
  8. till

    till Super Moderator Staff Member ISPConfig Developer

    Most likely you dont have a php-fpm dameon installed yet. Try to use fcgi instead as the fcgi mode is available for a longer time, so fcgi should be installed even on older installations.

    Yes, other sites would be able to manipulate php session data to get access to the system installed on that site.
  9. gring

    gring Member

    The php-fpm daemon was installed.

    Following instructions from elsewhere, In


    I changed :
    listen.mode = 0660

    to :
    listen.mode = 0666

    and restarted the php-fpm service.

    It works, but I don't have a clue about what this does.

Share This Page