Debian Bug report logs - #626640
Premature session file deletion

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Marcus Cobden <debian-bugs@marcuscobden.co.uk>

To: submit@bugs.debian.org

Subject: Premature session file deletion

Date: Fri, 13 May 2011 23:14:34 +0100

Package: php5-common
Version: 5.3.6-10

The crontab /etc/cron.d/php5 will, in certain circumstances, prematurely delete session files, resulting in error messages in scripts which were using those sessions.

Circumstances in which this might occur are:
* A script has been running longer than the configured session maxlifetime, and still has a session open.
* A script which as resumed an existing session, but the end of the session maxlifetime falls within the window of that script's execution.

This is a pretty common problem, and any number of kludgy solutions can be found in google, I didn't spot any which actually address the cause of the problem, only workarounds.

Suggested fix:
In the crontab, replace

-delete

with

-exec sh -c 'C=`fuser "$0" 2> /dev/null | wc -w`; [ "$C" -eq 0 ] && rm "$0"' {} \;

Message #10 received at 626640@bugs.debian.org (full text, mbox, reply):

From: Ondřej Surý <ondrej@debian.org>

To: Stephane Chazelas <stephane.chazelas@seebyte.com>, 626640@bugs.debian.org

Subject: Fwd: [php-maint] Bug#626640: Premature session file deletion

Date: Sat, 14 May 2011 09:25:15 +0200

Hi Stephane,

since you are the original reporter of the security bug in the cron.d
script, I would like to ask you for opinion on this bug.

find /var/lib/php5/ -depth -mindepth 1 -maxdepth 1 -type f -cmin
+$(/usr/lib/php5/maxlifetime) -execdir sh -c 'C=$(fuser "$0"
2>/dev/null | wc -w); [ "$C" -eq 0 ] && rm -f "$0"' {} \;

I think that it is safe to change find command line in this way, but
more eyes see more.

O.

---------- Forwarded message ----------
From: Marcus Cobden <debian-bugs@marcuscobden.co.uk>
Date: Sat, May 14, 2011 at 00:14
Subject: [php-maint] Bug#626640: Premature session file deletion
To: submit@bugs.debian.org


Package: php5-common
Version: 5.3.6-10

The crontab /etc/cron.d/php5 will, in certain circumstances,
prematurely delete session files, resulting in error messages in
scripts which were using those sessions.

Circumstances in which this might occur are:
* A script has been running longer than the configured session
maxlifetime, and still has a session open.
* A script which as resumed an existing session, but the end of the
session maxlifetime falls within the window of that script's
execution.

This is a pretty common problem, and any number of kludgy solutions
can be found in google, I didn't spot any which actually address the
cause of the problem, only workarounds.

Suggested fix:
In the crontab, replace

-delete

with

-exec sh -c 'C=`fuser "$0" 2> /dev/null | wc -w`; [ "$C" -eq 0 ] && rm
"$0"' {} \;




_______________________________________________
pkg-php-maint mailing list
pkg-php-maint@lists.alioth.debian.org
http://lists.alioth.debian.org/mailman/listinfo/pkg-php-maint



-- 
Ondřej Surý <ondrej@sury.org>
http://blog.rfc1925.org/

Message #15 received at 626640@bugs.debian.org (full text, mbox, reply):

From: Ondřej Surý <ondrej@sury.org>

To: 626640@bugs.debian.org

Cc: ,control@bugs.debian.org

Subject: [debian/debian-sid] Don't delete used session files (Closes: #626640)

Date: Sat, 14 May 2011 09:35:44 +0000

tag 626640 pending
thanks

Date: Sat May 14 09:20:06 2011 +0200
Author: Ondřej Surý <ondrej@sury.org>
Commit ID: 5d81dd949c7d03f7252988307dcd19e0b4f10758
Commit URL: http://git.debian.org/?p=pkg-php/php.git;a=commitdiff;h=5d81dd949c7d03f7252988307dcd19e0b4f10758
Patch URL: http://git.debian.org/?p=pkg-php/php.git;a=commitdiff_plain;h=5d81dd949c7d03f7252988307dcd19e0b4f10758

    Don't delete used session files (Closes: #626640)

      

Message #22 received at 626640@bugs.debian.org (full text, mbox, reply):

From: Bob Proulx <bob@proulx.com>

To: Ondřej Surý <ondrej@debian.org>, 626640@bugs.debian.org

Cc: Stephane Chazelas <stephane.chazelas@seebyte.com>

Subject: Re: Bug#626640: Fwd: [php-maint] Bug#626640: Premature session file deletion

Date: Sat, 14 May 2011 14:43:42 -0600

Hi Ondřej,

Ondřej Surý wrote:
> Hi Stephane,
> 
> since you are the original reporter of the security bug in the cron.d
> script, I would like to ask you for opinion on this bug.
> 
> find /var/lib/php5/ -depth -mindepth 1 -maxdepth 1 -type f -cmin
> +$(/usr/lib/php5/maxlifetime) -execdir sh -c 'C=$(fuser "$0"
> 2>/dev/null | wc -w); [ "$C" -eq 0 ] && rm -f "$0"' {} \;
> 
> I think that it is safe to change find command line in this way, but
> more eyes see more.

Note that adding 'fuser' to the cron script would add a new Depends:
to php5-common on 'psmisc'.

I think it is still safer to use the -delete option within find rather
than an external rm.  I also would like to reduce the number of
external calls to as few as possible.

I don't think the stderr of fuser should be discarded.  If it is
producing errors then this is something that should be found and
addressed.  Was there a particular case you were thinking of there?

How about this?

  find /var/lib/php5/ -depth -mindepth 1 -maxdepth 1 -type f \
    -cmin +$(/usr/lib/php5/maxlifetime) \
    -execdir sh -c 'test -z "$(fuser "$0")"' {} \; \
    -delete

Here only the exit code value of the execdir is being used to decide
whether -delete should be invoked or not.

Bob

Message #27 received at 626640@bugs.debian.org (full text, mbox, reply):

From: Ondřej Surý <ondrej@debian.org>

To: Bob Proulx <bob@proulx.com>

Cc: 626640@bugs.debian.org, Stephane Chazelas <stephane.chazelas@seebyte.com>

Subject: Re: Bug#626640: Fwd: [php-maint] Bug#626640: Premature session file deletion

Date: Sat, 14 May 2011 23:07:14 +0200

Umm, too late, I have just uploaded new version of php5.

Anyway, I have updated the script in the git and it will be update to
your variant in some next upload.

O.

2011/5/14 Bob Proulx <bob@proulx.com>:
> Hi Ondřej,
>
> Ondřej Surý wrote:
>> Hi Stephane,
>>
>> since you are the original reporter of the security bug in the cron.d
>> script, I would like to ask you for opinion on this bug.
>>
>> find /var/lib/php5/ -depth -mindepth 1 -maxdepth 1 -type f -cmin
>> +$(/usr/lib/php5/maxlifetime) -execdir sh -c 'C=$(fuser "$0"
>> 2>/dev/null | wc -w); [ "$C" -eq 0 ] && rm -f "$0"' {} \;
>>
>> I think that it is safe to change find command line in this way, but
>> more eyes see more.
>
> Note that adding 'fuser' to the cron script would add a new Depends:
> to php5-common on 'psmisc'.
>
> I think it is still safer to use the -delete option within find rather
> than an external rm.  I also would like to reduce the number of
> external calls to as few as possible.
>
> I don't think the stderr of fuser should be discarded.  If it is
> producing errors then this is something that should be found and
> addressed.  Was there a particular case you were thinking of there?
>
> How about this?
>
>  find /var/lib/php5/ -depth -mindepth 1 -maxdepth 1 -type f \
>    -cmin +$(/usr/lib/php5/maxlifetime) \
>    -execdir sh -c 'test -z "$(fuser "$0")"' {} \; \
>    -delete
>
> Here only the exit code value of the execdir is being used to decide
> whether -delete should be invoked or not.
>
> Bob
>



-- 
Ondřej Surý <ondrej@sury.org>
http://blog.rfc1925.org/

Message #32 received at 626640@bugs.debian.org (full text, mbox, reply):

From: Bob Proulx <bob@proulx.com>

To: Ondřej Surý <ondrej@debian.org>

Cc: 626640@bugs.debian.org, Stephane Chazelas <stephane.chazelas@seebyte.com>

Subject: Re: Bug#626640: Fwd: [php-maint] Bug#626640: Premature session file deletion

Date: Sat, 14 May 2011 15:09:56 -0600

Ondřej Surý wrote:
> Umm, too late, I have just uploaded new version of php5.

You were too quick! :-)

> Anyway, I have updated the script in the git and it will be update to
> your variant in some next upload.

I think that is perfectly fine and reasonable.

Bob

Message #37 received at 626640-close@bugs.debian.org (full text, mbox, reply):

From: Ondřej Surý <ondrej@debian.org>

To: 626640-close@bugs.debian.org

Subject: Bug#626640: fixed in php5 5.3.6-11

Date: Sun, 15 May 2011 12:48:28 +0000

Source: php5
Source-Version: 5.3.6-11

We believe that the bug you reported is fixed in the latest version of
php5, which is due to be installed in the Debian FTP archive:

libapache2-mod-php5_5.3.6-11_amd64.deb
  to main/p/php5/libapache2-mod-php5_5.3.6-11_amd64.deb
libapache2-mod-php5filter_5.3.6-11_amd64.deb
  to main/p/php5/libapache2-mod-php5filter_5.3.6-11_amd64.deb
php-pear_5.3.6-11_all.deb
  to main/p/php5/php-pear_5.3.6-11_all.deb
php5-cgi_5.3.6-11_amd64.deb
  to main/p/php5/php5-cgi_5.3.6-11_amd64.deb
php5-cli_5.3.6-11_amd64.deb
  to main/p/php5/php5-cli_5.3.6-11_amd64.deb
php5-common_5.3.6-11_amd64.deb
  to main/p/php5/php5-common_5.3.6-11_amd64.deb
php5-curl_5.3.6-11_amd64.deb
  to main/p/php5/php5-curl_5.3.6-11_amd64.deb
php5-dbg_5.3.6-11_amd64.deb
  to main/p/php5/php5-dbg_5.3.6-11_amd64.deb
php5-dev_5.3.6-11_amd64.deb
  to main/p/php5/php5-dev_5.3.6-11_amd64.deb
php5-enchant_5.3.6-11_amd64.deb
  to main/p/php5/php5-enchant_5.3.6-11_amd64.deb
php5-fpm_5.3.6-11_amd64.deb
  to main/p/php5/php5-fpm_5.3.6-11_amd64.deb
php5-gd_5.3.6-11_amd64.deb
  to main/p/php5/php5-gd_5.3.6-11_amd64.deb
php5-gmp_5.3.6-11_amd64.deb
  to main/p/php5/php5-gmp_5.3.6-11_amd64.deb
php5-imap_5.3.6-11_amd64.deb
  to main/p/php5/php5-imap_5.3.6-11_amd64.deb
php5-interbase_5.3.6-11_amd64.deb
  to main/p/php5/php5-interbase_5.3.6-11_amd64.deb
php5-intl_5.3.6-11_amd64.deb
  to main/p/php5/php5-intl_5.3.6-11_amd64.deb
php5-ldap_5.3.6-11_amd64.deb
  to main/p/php5/php5-ldap_5.3.6-11_amd64.deb
php5-mcrypt_5.3.6-11_amd64.deb
  to main/p/php5/php5-mcrypt_5.3.6-11_amd64.deb
php5-mysql_5.3.6-11_amd64.deb
  to main/p/php5/php5-mysql_5.3.6-11_amd64.deb
php5-odbc_5.3.6-11_amd64.deb
  to main/p/php5/php5-odbc_5.3.6-11_amd64.deb
php5-pgsql_5.3.6-11_amd64.deb
  to main/p/php5/php5-pgsql_5.3.6-11_amd64.deb
php5-pspell_5.3.6-11_amd64.deb
  to main/p/php5/php5-pspell_5.3.6-11_amd64.deb
php5-recode_5.3.6-11_amd64.deb
  to main/p/php5/php5-recode_5.3.6-11_amd64.deb
php5-snmp_5.3.6-11_amd64.deb
  to main/p/php5/php5-snmp_5.3.6-11_amd64.deb
php5-sqlite_5.3.6-11_amd64.deb
  to main/p/php5/php5-sqlite_5.3.6-11_amd64.deb
php5-sybase_5.3.6-11_amd64.deb
  to main/p/php5/php5-sybase_5.3.6-11_amd64.deb
php5-tidy_5.3.6-11_amd64.deb
  to main/p/php5/php5-tidy_5.3.6-11_amd64.deb
php5-xmlrpc_5.3.6-11_amd64.deb
  to main/p/php5/php5-xmlrpc_5.3.6-11_amd64.deb
php5-xsl_5.3.6-11_amd64.deb
  to main/p/php5/php5-xsl_5.3.6-11_amd64.deb
php5_5.3.6-11.diff.gz
  to main/p/php5/php5_5.3.6-11.diff.gz
php5_5.3.6-11.dsc
  to main/p/php5/php5_5.3.6-11.dsc
php5_5.3.6-11_all.deb
  to main/p/php5/php5_5.3.6-11_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 626640@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ondřej Surý <ondrej@debian.org> (supplier of updated php5 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 14 May 2011 22:15:32 +0200
Source: php5
Binary: php5 php5-common libapache2-mod-php5 libapache2-mod-php5filter php5-cgi php5-cli php5-fpm php5-dev php5-dbg php-pear php5-curl php5-enchant php5-gd php5-gmp php5-imap php5-interbase php5-intl php5-ldap php5-mcrypt php5-mysql php5-odbc php5-pgsql php5-pspell php5-recode php5-snmp php5-sqlite php5-sybase php5-tidy php5-xmlrpc php5-xsl
Architecture: source amd64 all
Version: 5.3.6-11
Distribution: unstable
Urgency: low
Maintainer: Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>
Changed-By: Ondřej Surý <ondrej@debian.org>
Description: 
 libapache2-mod-php5 - server-side, HTML-embedded scripting language (Apache 2 module)
 libapache2-mod-php5filter - server-side, HTML-embedded scripting language (apache 2 filter mo
 php-pear   - PEAR - PHP Extension and Application Repository
 php5       - server-side, HTML-embedded scripting language (metapackage)
 php5-cgi   - server-side, HTML-embedded scripting language (CGI binary)
 php5-cli   - command-line interpreter for the php5 scripting language
 php5-common - Common files for packages built from the php5 source
 php5-curl  - CURL module for php5
 php5-dbg   - Debug symbols for PHP5
 php5-dev   - Files for PHP5 module development
 php5-enchant - Enchant module for php5
 php5-fpm   - server-side, HTML-embedded scripting language (FPM-CGI binary)
 php5-gd    - GD module for php5
 php5-gmp   - GMP module for php5
 php5-imap  - IMAP module for php5
 php5-interbase - interbase/firebird module for php5
 php5-intl  - internationalisation module for php5
 php5-ldap  - LDAP module for php5
 php5-mcrypt - MCrypt module for php5
 php5-mysql - MySQL module for php5
 php5-odbc  - ODBC module for php5
 php5-pgsql - PostgreSQL module for php5
 php5-pspell - pspell module for php5
 php5-recode - recode module for php5
 php5-snmp  - SNMP module for php5
 php5-sqlite - SQLite module for php5
 php5-sybase - Sybase / MS SQL Server module for php5
 php5-tidy  - tidy module for php5
 php5-xmlrpc - XML-RPC module for php5
 php5-xsl   - XSL module for php5
Closes: 626640
Changes: 
 php5 (5.3.6-11) unstable; urgency=low
 .
   * Use more reasonable default number of processes for PHP5-FPM
   * Enable firebird support everywhere also in debian/rules
   * Don't delete still used session files (Closes: #626640)
   * Enable building of php5-interbase by adding Architecture: any
     to debian/control
   * Use dh_prep instead of dh_clean -k
Checksums-Sha1: 
 ae28ce6c2134ad67e0ae2de630e460e20ee23b9f 2622 php5_5.3.6-11.dsc
 6bd0d2b1bca286eaf316da27c1824a2d6c42f5f0 193145 php5_5.3.6-11.diff.gz
 18812a7eedcbf3f8d211811c5b030a8101031421 555506 php5-common_5.3.6-11_amd64.deb
 7ce338c8ba2de1143da7dcd6fad4a8d0a8fa422f 3068186 libapache2-mod-php5_5.3.6-11_amd64.deb
 893c4c4025a233dbea0433c9e8ae06291ba6065d 3067634 libapache2-mod-php5filter_5.3.6-11_amd64.deb
 b1d4e70d95b6130cada23828d18d1f7670a62065 5952262 php5-cgi_5.3.6-11_amd64.deb
 4219c9066d141bac71462950d5a93debc0b39c4b 2975484 php5-cli_5.3.6-11_amd64.deb
 d005c93c14d8b0701d2a48311ff90177cf279a69 3011666 php5-fpm_5.3.6-11_amd64.deb
 d4ce6ea30a26922fc50d73e456e07234840a64fc 410334 php5-dev_5.3.6-11_amd64.deb
 bd9c0873330ce04fd4d9973538c40d4c4c7bf6e5 12904534 php5-dbg_5.3.6-11_amd64.deb
 43c12c018ab655c03623cf775c1278cb0e616b88 27258 php5-curl_5.3.6-11_amd64.deb
 50bffeaf01530aa828bf658801ef25a562896688 9126 php5-enchant_5.3.6-11_amd64.deb
 03d987493b75cedd3a38497118bde26976034069 39406 php5-gd_5.3.6-11_amd64.deb
 297032a27d012ce6f02e5d210a9485d056c0ddba 16616 php5-gmp_5.3.6-11_amd64.deb
 91dc945c9afd3ca035b03de613de27e0f5b4c2a1 35074 php5-imap_5.3.6-11_amd64.deb
 02ee58a9f0b4861e69ff8ad2c7168ceca9630daf 49238 php5-interbase_5.3.6-11_amd64.deb
 672ca06cb7a28e0dbe583a930b0eaa6c7236222b 61048 php5-intl_5.3.6-11_amd64.deb
 16426cc22e48f4cfcf7edfb5755b138da0d9c545 19776 php5-ldap_5.3.6-11_amd64.deb
 c5533fe98e0d09005587d56f3fc78017f1d2c146 15276 php5-mcrypt_5.3.6-11_amd64.deb
 45f39f31184784c9623866a644a752e5f67dbfca 77036 php5-mysql_5.3.6-11_amd64.deb
 2ea8d71ca4cce6a7e2c103da29d5b93450a81b8e 36200 php5-odbc_5.3.6-11_amd64.deb
 37dd2c77804a16c94d27446563a4141985f1cdc0 60002 php5-pgsql_5.3.6-11_amd64.deb
 c0df5e0305f0a38575f2857b6de27804bcbe5b6f 8388 php5-pspell_5.3.6-11_amd64.deb
 6fd210b3ace55dd76c846c67bbe090c23e57b756 4344 php5-recode_5.3.6-11_amd64.deb
 30ccc64a0604143fd684d3fb4f8df420576c3973 11152 php5-snmp_5.3.6-11_amd64.deb
 e03c7e0a590e608a3b7acd773c04e742bd912409 56954 php5-sqlite_5.3.6-11_amd64.deb
 989a07ceda1e618ff5512dff72ff71c2ca36c3f0 26782 php5-sybase_5.3.6-11_amd64.deb
 06a1368b186e2d098a960e215b2f75b1cfc6baf5 18474 php5-tidy_5.3.6-11_amd64.deb
 e349491de4597b7d46489e60fbed54dda28f4d55 35328 php5-xmlrpc_5.3.6-11_amd64.deb
 55a2c0db116f593ce964c1529947f1122afa682c 13684 php5-xsl_5.3.6-11_amd64.deb
 f58204f9158f216f47299b5f16d1782168be934d 1056 php5_5.3.6-11_all.deb
 a922e3175abdd4f9077121f8a5d421c3010e9f96 366150 php-pear_5.3.6-11_all.deb
Checksums-Sha256: 
 144bae40382b711267804862436c5329f680eaa36f7b8b86f234899bddf5f5aa 2622 php5_5.3.6-11.dsc
 994685844167eb91d529dbe70a010c56d15119c25beaca14211fdc821baed99b 193145 php5_5.3.6-11.diff.gz
 f22da246b1574b07685107b70b437743cac4ef98772d8cad01da48879a4f3614 555506 php5-common_5.3.6-11_amd64.deb
 76883eb1c97095ab52fb0d447e15ce1060f59e546c66fffe2b3bd4ce89a9efa4 3068186 libapache2-mod-php5_5.3.6-11_amd64.deb
 1726a7803aa5cf490881987320bb7da3207837e0047b6b10bdc17893190c5789 3067634 libapache2-mod-php5filter_5.3.6-11_amd64.deb
 a3e988399ebcbe8242752f56968517f235f561a1d576cd29c980ba61cae7e541 5952262 php5-cgi_5.3.6-11_amd64.deb
 e95ec087bbe953bc3fa869904f304d85bc113531d7ddad6294876f1013241f4d 2975484 php5-cli_5.3.6-11_amd64.deb
 076ffc78487ce8ab35dac0fbf5649b557e6ce4b42eb7837b27cd10af0a33e48a 3011666 php5-fpm_5.3.6-11_amd64.deb
 03b2dbec979595045d15cbd0485fe6f2fb2948ad8462af8fccb679dfab92b527 410334 php5-dev_5.3.6-11_amd64.deb
 df6abefce7e1b57438fef3ce84546c256c722aec064019599d757228c553241e 12904534 php5-dbg_5.3.6-11_amd64.deb
 e1e309c984d54523df9ca6f32cad84fe91b9b4f19169c9446923b3611d2653ea 27258 php5-curl_5.3.6-11_amd64.deb
 d8f5e4e333d02d74029289ee225ab055e497b77ec499bfa1152a89b4de836295 9126 php5-enchant_5.3.6-11_amd64.deb
 4af9366ba75f3ee6c08dd12659d1b1701cf1b49a2ec3415ca9d3a8c7c78315a3 39406 php5-gd_5.3.6-11_amd64.deb
 3df9dc0c0b939e18aa7ee1eb326288f2e5f72439232327aac7eeebb51e488d72 16616 php5-gmp_5.3.6-11_amd64.deb
 73897f3b3678596e4a62e5b6df8cb0f65fb39ae1d489edd36499c9f0f731f5dd 35074 php5-imap_5.3.6-11_amd64.deb
 0a22dcfe708c9eac0a44af72732293fd12829f66c4bd421169c13e4f42766ec5 49238 php5-interbase_5.3.6-11_amd64.deb
 4ec50683ce4767f4c4904d40b43d7212ab1b003e17ee7818fba5a8a2f1ef33e6 61048 php5-intl_5.3.6-11_amd64.deb
 70d7d23b2566c748ff7b6d73c5da6a0ead1e5ded8ed50d324f0ed0fcdeec5911 19776 php5-ldap_5.3.6-11_amd64.deb
 b56efcdafaf8d9ca3db0982352b6b3127116cfe0024d9a6ccb6b3bc14605b0aa 15276 php5-mcrypt_5.3.6-11_amd64.deb
 b1e49faa36932fa2688fefc595464ff7855e39a64f98bf340501d0fc3ef2520c 77036 php5-mysql_5.3.6-11_amd64.deb
 10a1c737a98b534fee33e8e26ea332542c295151062e4a9a70d766fe66dc3234 36200 php5-odbc_5.3.6-11_amd64.deb
 7edd15b9f17541ad891e4c040d447f7594134ad4537573e448ef4678d53fc52d 60002 php5-pgsql_5.3.6-11_amd64.deb
 c7a2f611697fdc6d91ab2992a5299371e05a1a4588fd759d5728008a3685ff6f 8388 php5-pspell_5.3.6-11_amd64.deb
 17f45cdb272b0d174145bc87b287c9b61167298986e8b7621a3b5b634ee2929b 4344 php5-recode_5.3.6-11_amd64.deb
 663acac31f395bf044220724bc8087044c2cfb09957034c4a2b9676846aeeb6f 11152 php5-snmp_5.3.6-11_amd64.deb
 921dbb58ca9584776b3bd7a32eb88177e0df78ce4c97eec9637871e6e1ae8216 56954 php5-sqlite_5.3.6-11_amd64.deb
 a86d28e030a8b12380aea5089450283e3ede4704e745fc995cb0a77b791e427f 26782 php5-sybase_5.3.6-11_amd64.deb
 7dec4bcf4c6489450b6b02e62031a09e37f149db0685fa5f25a1b04f86007e66 18474 php5-tidy_5.3.6-11_amd64.deb
 95d12b6221c8352205364eb84e740e1025cf1739401c0b741f801f536d24ec20 35328 php5-xmlrpc_5.3.6-11_amd64.deb
 6b5bb1f57ee166a5bfe17eac977a56e465948434aa35792fc4c99b77bf767c20 13684 php5-xsl_5.3.6-11_amd64.deb
 141db0cb6b15eee04a269457a42c969a67bcc63ae0885a56a75d576dd457bbf8 1056 php5_5.3.6-11_all.deb
 b01cdc75eb6b6ddd52574ff6d92385cba83cfcb2fd2b1dbfcef48c21054bd815 366150 php-pear_5.3.6-11_all.deb
Files: 
 bd0ae59758acc3ea664f76f046efeb24 2622 php optional php5_5.3.6-11.dsc
 b4c10fda90f15308bce8554df30e509b 193145 php optional php5_5.3.6-11.diff.gz
 7aab85c4aca35e5edba87c7835852210 555506 php optional php5-common_5.3.6-11_amd64.deb
 3e77f48dc0d2d8626e2938ae745f03f7 3068186 httpd optional libapache2-mod-php5_5.3.6-11_amd64.deb
 f4b8ef5b9f45199fc98a37c5d8aeef26 3067634 httpd extra libapache2-mod-php5filter_5.3.6-11_amd64.deb
 d2f7f7ee9ecadfa81a600110b135fe29 5952262 php optional php5-cgi_5.3.6-11_amd64.deb
 88a61f784ed6c8364e22d46d4a25ba80 2975484 php optional php5-cli_5.3.6-11_amd64.deb
 890736694d833320693079baf815f665 3011666 php optional php5-fpm_5.3.6-11_amd64.deb
 21fe8153ab5be09215239a86d9139d32 410334 php optional php5-dev_5.3.6-11_amd64.deb
 aab13023d5f19499ff15f7e66cb9edd7 12904534 debug extra php5-dbg_5.3.6-11_amd64.deb
 8e46ad6df5d1b9c7e7c3690d5f6499b0 27258 php optional php5-curl_5.3.6-11_amd64.deb
 4bbc822d4a1ceb2e3041e735561d79aa 9126 php optional php5-enchant_5.3.6-11_amd64.deb
 4db110684a0949140031db83d7fbc456 39406 php optional php5-gd_5.3.6-11_amd64.deb
 bb6d7a513bfebaa7caa3698004655cf2 16616 php optional php5-gmp_5.3.6-11_amd64.deb
 9930d24b849f24d1ed75e4567bd9a559 35074 php optional php5-imap_5.3.6-11_amd64.deb
 1873a95b2980b4b5ea684d143a2081d8 49238 php optional php5-interbase_5.3.6-11_amd64.deb
 aeada1f0a6e2f0ee6fadf5c7a517e83c 61048 php optional php5-intl_5.3.6-11_amd64.deb
 af18a18b4382b5915986ee0456c53311 19776 php optional php5-ldap_5.3.6-11_amd64.deb
 181a29a00cb5800ce895c1d80bfbd494 15276 php optional php5-mcrypt_5.3.6-11_amd64.deb
 ba8a3a87dd0212f457e34b199910edde 77036 php optional php5-mysql_5.3.6-11_amd64.deb
 34690ed7243be4dbd48c3fdba50e9ae5 36200 php optional php5-odbc_5.3.6-11_amd64.deb
 a265e069410ca3a94c8f246dffcb3e55 60002 php optional php5-pgsql_5.3.6-11_amd64.deb
 b05cbbeb62c7bcfe40a747842fbc94b9 8388 php optional php5-pspell_5.3.6-11_amd64.deb
 612f4de96fb9c3676d19e943f2a63e24 4344 php optional php5-recode_5.3.6-11_amd64.deb
 6b191325316b98589b4e1f9a12ec4b2c 11152 php optional php5-snmp_5.3.6-11_amd64.deb
 19ff615ff82a50fa43fdd50ea95931db 56954 php optional php5-sqlite_5.3.6-11_amd64.deb
 5cd53849cd59785480cec3bd2b4c74e7 26782 php optional php5-sybase_5.3.6-11_amd64.deb
 77a0c9fe5e7db4171a0535406fe06774 18474 php optional php5-tidy_5.3.6-11_amd64.deb
 c8846b355fbaeb694feda47ef38be8ee 35328 php optional php5-xmlrpc_5.3.6-11_amd64.deb
 a684cc0c978bfdeac020b7c8edfd50a5 13684 php optional php5-xsl_5.3.6-11_amd64.deb
 ed75eef98a618734d0267a4aa9efed4d 1056 php optional php5_5.3.6-11_all.deb
 edd32f7b98cfb71035b13a3bcbf21f02 366150 php optional php-pear_5.3.6-11_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAk3O7TwACgkQ9OZqfMIN8nPM0ACdEMent8g9dSN67HrT70YCHBUs
CaAAoKKf3iYmWne8D4AtnLIhw34akunY
=FW0C
-----END PGP SIGNATURE-----

Message #42 received at 626640@bugs.debian.org (full text, mbox, reply):

From: Marcus Cobden <spam@marcuscobden.co.uk>

To: 626640@bugs.debian.org

Subject: Re: Bug#626640 closed by Ondřej Surý <ondrej@debian.org> (Bug#626640: fixed in php5 5.3.6-11)

Date: Mon, 16 May 2011 14:37:29 +0100

On 15/05/2011 13:51, Debian Bug Tracking System wrote:
> This is an automatic notification regarding your Bug report
> which was filed against the php5-common package:
>
> #626640: Premature session file deletion
>
> It has been closed by Ondřej Surý<ondrej@debian.org>.
>
> Their explanation is attached below along with your original report.
> If this explanation is unsatisfactory and you have not received a
> better one in a separate message then please contact Ondřej Surý<ondrej@debian.org>  by
> replying to this email.
>
>
It's good to have the input of the more experienced and security aware on this fix.

Swift work!
Thanks

Message #47 received at 626640@bugs.debian.org (full text, mbox, reply):

From: Marcus Cobden <debian-bugs@marcuscobden.co.uk>

To: 626640@bugs.debian.org

Subject: Small optimization

Date: Mon, 16 May 2011 14:52:29 +0100

Here's (what I hope is) a small optimisation to Bob's solution.

* fuser returns non-zero if the files aren't in use
* since we only need the argument once, we probably don't need a shell

Can you guys check this over for me?

find /var/lib/php5/ -depth -mindepth 1 -maxdepth 1 -type f \
	-cmin +$(/usr/lib/php5/maxlifetime) \
	! -execdir fuser -s {} \; \
	-delete

Message #52 received at 626640@bugs.debian.org (full text, mbox, reply):

From: Ondřej Surý <ondrej@debian.org>

To: Marcus Cobden <debian-bugs@marcuscobden.co.uk>, 626640@bugs.debian.org, Bob Proulx <bob@proulx.com>

Subject: Re: [php-maint] Bug#626640: Small optimization

Date: Mon, 16 May 2011 16:19:31 +0200

Hmm, that looks like a nice optimization. Bob, what do you think?

-s (suppresses the output of fuser)

O.

On Mon, May 16, 2011 at 15:52, Marcus Cobden
<debian-bugs@marcuscobden.co.uk> wrote:
> Here's (what I hope is) a small optimisation to Bob's solution.
>
> * fuser returns non-zero if the files aren't in use
> * since we only need the argument once, we probably don't need a shell
>
> Can you guys check this over for me?
>
> find /var/lib/php5/ -depth -mindepth 1 -maxdepth 1 -type f \
>        -cmin +$(/usr/lib/php5/maxlifetime) \
>        ! -execdir fuser -s {} \; \
>        -delete
>
>
>
>
> _______________________________________________
> pkg-php-maint mailing list
> pkg-php-maint@lists.alioth.debian.org
> http://lists.alioth.debian.org/mailman/listinfo/pkg-php-maint
>



-- 
Ondřej Surý <ondrej@sury.org>
http://blog.rfc1925.org/

Message #57 received at 626640@bugs.debian.org (full text, mbox, reply):

From: Bob Proulx <bob@proulx.com>

To: Ondřej Surý <ondrej@debian.org>, 626640@bugs.debian.org

Cc: Marcus Cobden <debian-bugs@marcuscobden.co.uk>

Subject: Re: Bug#626640: [php-maint] Bug#626640: Small optimization

Date: Mon, 16 May 2011 12:11:18 -0600

Ondřej Surý wrote:
> Marcus Cobden wrote:
> > Here's (what I hope is) a small optimisation to Bob's solution.
>
> Hmm, that looks like a nice optimization. Bob, what do you think?

Two ways of doing this under discussion:

  a)   -execdir sh -c 'test -z "$(fuser "$0")"' {} \;

  b)   ! -execdir fuser -s {} \;

Certainly option b is prettier!  I like it and wish I had suggested
it.  :-)  Let me analyze the behavior of the two methods.

  File is busy case:

    fuser produces no output to stderr
    fuser produces output to stdout ; Option a) would not invoke -delete
    fuser exits 0                   ; Option b) would not invoke -delete

  File is not busy case:

    fuser produces no output to stderr
    fuser produces no output to stdout ; Option a) would invoke -delete
    fuser exits 1                      ; Option b) would invoke -delete

  An error occurs case:

    fuser produces output to stderr
    (If fuser errors then -delete might error too and find will emit
    output to stderr in this case too.)
    fuser produces no output to stdout ; Option a) would invoke -delete
    fuser exits 1                      ; Option b) would invoke -delete

Everything seems equivalent.  With option b much prettier I vote for
the option b suggestion from Marcus.

Thanks Marcus for jumping in with that suggestion!

Bob

Message #62 received at 626640@bugs.debian.org (full text, mbox, reply):

From: Marcus Cobden <spam@marcuscobden.co.uk>

To: Bob Proulx <bob@proulx.com>

Cc: Ondřej Surý <ondrej@debian.org>, 626640@bugs.debian.org, Marcus Cobden <debian-bugs@marcuscobden.co.uk>

Subject: Re: Bug#626640: [php-maint] Bug#626640: Small optimization

Date: Mon, 16 May 2011 22:14:47 +0100

On 16/05/2011 19:11, Bob Proulx wrote:
> Everything seems equivalent.  With option b much prettier I vote for
> the option b suggestion from Marcus.
>
> Thanks Marcus for jumping in with that suggestion!
>
> Bob
No problem :)
I've learned a lot about the find utility from this bug report, and what we've ended up with is a lot better than what I originally proposed!

Marcus

Message #67 received at 626640@bugs.debian.org (full text, mbox, reply):

From: Marcus Cobden <debian-bugs@marcuscobden.co.uk>

To: 626640@bugs.debian.org

Subject: Cron spam

Date: Mon, 23 May 2011 14:23:53 +0100

I've been running the updated crontab on a server since my last email and have been getting emails like this from the cron daemon:

Cannot stat file /proc/8419/fd/1: No such file or directory
Cannot stat file /proc/8419/fd/2: No such file or directory
Cannot stat file /proc/8419/fd/3: No such file or directory

I presume it's fuser printing this as the files its been told to look at no longer exist.
(They've probably been garbage collected by php)

Would it be safe to add a "2> /dev/null" to this? Are there any other error conditions we might actually want to hear about?

Message #72 received at 626640@bugs.debian.org (full text, mbox, reply):

From: Bob Proulx <bob@proulx.com>

To: Marcus Cobden <debian-bugs@marcuscobden.co.uk>, 626640@bugs.debian.org

Subject: Re: Bug#626640: Cron spam

Date: Mon, 23 May 2011 11:10:39 -0600

Marcus Cobden wrote:
> I've been running the updated crontab on a server since my last email and have been getting emails like this from the cron daemon:
> 
> Cannot stat file /proc/8419/fd/1: No such file or directory
> Cannot stat file /proc/8419/fd/2: No such file or directory
> Cannot stat file /proc/8419/fd/3: No such file or directory
> 
> I presume it's fuser printing this as the files its been told to
> look at no longer exist.
> (They've probably been garbage collected by php)

I think that is odd to be getting those messages and I don't
understand why they would be happening.  It wouldn't be from php
garbage collecting.  I think (but am not sure) that it must be a race
between a process active on the session file going away during exit
such that the /proc/$pid still exists but that the files associated
with it have already been cleaned up.  If that is the issue then I
think you must have a very active system indeed to be seeing this with
any regularity.  I have a very quiet system and I have not seen that
message.  I tried to trigger it but was unable to do so. (shrug)

Are you sure the message is coming from fuser?  Can you run the
commands manually and verify this?  I am thinking of something simple
such as this:

  # for f in /var/lib/php5/*; do echo $f; fuser -s $f; done

> Would it be safe to add a "2> /dev/null" to this? Are there any
> other error conditions we might actually want to hear about?

That would probably be fine.  I won't object (like I did before) to
it.  But here is my concern about ignoring errors.

If fuser experiences an error then the exit code will be non-zero.  As
currently constructed if the fuser exit code is non-zero then find
will invoke the -delete action.  If we ignore errors then it is
possible for fuser to *always* experience an error, -delete always to
be called, and no one would ever know.  At that point the reason for
having added the fuser in the first place would not be getting
addressed at all.  In that case it might as well not be there.  It
would be exactly the same as before when you filed the original bug
report.  Since the code needs to work in order to address this problem
that you reported then if we ignore errors it might very well never
actually address the problem.  Ignoring errors historically often
creates situations such as this and so makes me nervous unless it is
fully understood.

Bob

Message #77 received at 626640@bugs.debian.org (full text, mbox, reply):

From: Ondřej Surý <ondrej@debian.org>

To: Bob Proulx <bob@proulx.com>, 626640@bugs.debian.org

Cc: Marcus Cobden <debian-bugs@marcuscobden.co.uk>

Subject: Re: [php-maint] Bug#626640: Cron spam

Date: Fri, 3 Jun 2011 10:58:47 +0200

Hi,

yes, it looks like race condition in fuser.c indeed...

But it needs to be fixed in psmisc.

You can silence your cron by doing:

fuser -s {} 2>/dev/null

But I think the correct way is to fix fuser to not print the error in
case of ENOENT (See #629048).

O.

On Mon, May 23, 2011 at 19:10, Bob Proulx <bob@proulx.com> wrote:
> Marcus Cobden wrote:
>> I've been running the updated crontab on a server since my last email and have been getting emails like this from the cron daemon:
>>
>> Cannot stat file /proc/8419/fd/1: No such file or directory
>> Cannot stat file /proc/8419/fd/2: No such file or directory
>> Cannot stat file /proc/8419/fd/3: No such file or directory
>>
>> I presume it's fuser printing this as the files its been told to
>> look at no longer exist.
>> (They've probably been garbage collected by php)
>
> I think that is odd to be getting those messages and I don't
> understand why they would be happening.  It wouldn't be from php
> garbage collecting.  I think (but am not sure) that it must be a race
> between a process active on the session file going away during exit
> such that the /proc/$pid still exists but that the files associated
> with it have already been cleaned up.  If that is the issue then I
> think you must have a very active system indeed to be seeing this with
> any regularity.  I have a very quiet system and I have not seen that
> message.  I tried to trigger it but was unable to do so. (shrug)
>
> Are you sure the message is coming from fuser?  Can you run the
> commands manually and verify this?  I am thinking of something simple
> such as this:
>
>  # for f in /var/lib/php5/*; do echo $f; fuser -s $f; done
>
>> Would it be safe to add a "2> /dev/null" to this? Are there any
>> other error conditions we might actually want to hear about?
>
> That would probably be fine.  I won't object (like I did before) to
> it.  But here is my concern about ignoring errors.
>
> If fuser experiences an error then the exit code will be non-zero.  As
> currently constructed if the fuser exit code is non-zero then find
> will invoke the -delete action.  If we ignore errors then it is
> possible for fuser to *always* experience an error, -delete always to
> be called, and no one would ever know.  At that point the reason for
> having added the fuser in the first place would not be getting
> addressed at all.  In that case it might as well not be there.  It
> would be exactly the same as before when you filed the original bug
> report.  Since the code needs to work in order to address this problem
> that you reported then if we ignore errors it might very well never
> actually address the problem.  Ignoring errors historically often
> creates situations such as this and so makes me nervous unless it is
> fully understood.
>
> Bob
>
>
>
> _______________________________________________
> pkg-php-maint mailing list
> pkg-php-maint@lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-php-maint
>



-- 
Ondřej Surý <ondrej@sury.org>
http://blog.rfc1925.org/

Message #82 received at 626640@bugs.debian.org (full text, mbox, reply):

From: Bryce Nesbitt <bryce2@obviously.com>

To: 626640@bugs.debian.org

Subject: Moreover...

Date: Thu, 09 Jun 2011 21:28:23 -0700

Adding to this: this script adds a twice an hour cron job, even if there 
is no webserver running at all.
This is laptop unfriendly.

/etc/cron.d/php5 should also get comments, so those of us seeing "why is 
my laptop not sleeping" can track it down.
But better yet, find a less awkward way to clean up the session files 
(or, lack of session files).  There are a few of us
that use php as a server side language without any apache/php 
involvement at all.

Send a report that this bug log contains spam.