Opened 14 years ago

Closed 10 years ago

#4 closed defect (invalid)

Cleaning /tmp sessions

Reported by: broder Owned by:
Priority: minor Milestone:
Component: web Keywords:
Cc:

Description

scripts should do something more clever than

0 5 * * * /usr/bin/find /tmp/sessions/ -type f | /usr/bin/xargs /bin/rm -rf >/dev/null 2>&1

(Taken from RT #436572)

Change History (2)

comment:1 Changed 14 years ago by broder

I'm extremely concerned about root's cron script on better-mousetrap:

0 5 * * * /usr/bin/find /tmp/sessions/ -type f | /usr/bin/xargs /bin/rm -rf >/dev/null 2>&1

for two reasons. One, its security is thoughtless; someone could put a file in /tmp/sessions with spaces in the name, and get some arbitrary file rm -rf'd as root from wherever the cron script runs. Two, it does not have any kind of check on the file's access time; someone that creates a session at 4:58 will lose it two minutes later, as will someone that has been using their session continually up until that time.

For now, I've disabled it (along with ntpdate, which should not be used along with a real NTP server).

Anders

comment:2 Changed 10 years ago by achernya

  • Resolution set to invalid
  • Status changed from new to closed
Note: See TracTickets for help on using tickets.