On Mon, Jun 23, 2014 at 02:06:25PM -0700, Steve Beattie wrote: > On Fri, Jun 20, 2014 at 09:16:15AM -0700, Kees Cook wrote: > > On Wed, Jun 18, 2014 at 11:44:26PM -0700, Seth Arnold wrote: > > > On Wed, Jun 18, 2014 at 05:44:04PM -0700, Steve Beattie wrote: > > > > Allow php5 abstraction to access Zend opcache files. > > > > > > > > [Personally, I don't really like things like this ending up in /tmp, > > > > as there's no need for it; but it's not obvious to me looking at > > > > http://www.php.net/manual/en/opcache.configuration.php if there's a > > > > way to configure things such that the opcache files end up in a php > > > > specific directory, that we could advocate packagers should make as > > > > the default.] > > > > > > Blech. Annoying php. > > > > Yes. This took a long time to find digging through PHP code to find the > > file pattern. :) > > > > > Maybe add 'owner'? I'm not entirely sure how PHP expects these things to > > > be used but it feels like a sane thing to require that the reader and > > > writer be the same uid. > > > > Yeah, "owner" seems like a good idea. > > Actually, owner for some reason won't work here, at least with tests > that I've done on Ubuntu 14.04: > > type=AVC msg=audit(1403508883.378:14162): apparmor="DENIED" > operation="file_lock" profile="/usr/sbin/apache2//DEFAULT_URI" > name="/tmp/.ZendSem.dm4CyE" pid=10001 comm="apache2" requested_mask="k" > denied_mask="k" fsuid=33 ouid=0 > > Note that fsuid and ouid differ (the opcache is being generated/opened > by apache's control process?) and thus restricting owner won't > allow this. > > I'm still unable to find a toggle in php configuration that changes the > directory these are created in.
PHP, the gift that keeps on giving. Thanks for investigating this, the original line is fine with me. Thanks
signature.asc
Description: Digital signature
-- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor