Opened 17 years ago
Closed 13 years ago
#4 closed defect (invalid)
Cleaning /tmp sessions
Reported by: | broder | Owned by: | |
---|---|---|---|
Priority: | minor | Milestone: | |
Component: | web | Keywords: | |
Cc: |
Description
scripts should do something more clever than
0 5 * * * /usr/bin/find /tmp/sessions/ -type f | /usr/bin/xargs /bin/rm -rf >/dev/null 2>&1
(Taken from RT #436572)
Change History (2)
comment:1 Changed 17 years ago by broder
comment:2 Changed 13 years ago by achernya
- Resolution set to invalid
- Status changed from new to closed
Note: See
TracTickets for help on using
tickets.
I'm extremely concerned about root's cron script on better-mousetrap:
0 5 * * * /usr/bin/find /tmp/sessions/ -type f | /usr/bin/xargs /bin/rm -rf >/dev/null 2>&1
for two reasons. One, its security is thoughtless; someone could put a file in /tmp/sessions with spaces in the name, and get some arbitrary file rm -rf'd as root from wherever the cron script runs. Two, it does not have any kind of check on the file's access time; someone that creates a session at 4:58 will lose it two minutes later, as will someone that has been using their session continually up until that time.
For now, I've disabled it (along with ntpdate, which should not be used along with a real NTP server).
Anders