Hi,
I have a question about your suggested workaround on
http://www.securiteam.com/unixfocus/5AP0A1F61Q.html :
> And make sure to take away "r". r means "listing a directory". Apache only has to be
>able to "go into it" = x = 1, and "write" = w = 2. 1 + 2 = 3, so
>
> chmod 300 php_sessions
>
> Now, although apache is able to create and read sessions, it is not anymore possible
>to list the directory.
>
I'm agree that's the right way to avoid id reading from any php scripts. But
since directory listing would be denied, the session gc won't be able to do
his job anymore (look at ps_files_cleanup_dir() in mod_files.c).
A quick workaround (another one!) would be a simple cron script running as
root to do the gc.
Any other (better) way?
Regards,
Christophe Sollet.
--
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
