Lighttpd: Beware of Default PHP Session Path Permission [ session.save_path ]

Posted on in Categories lighttpd, php, Squid caching server, Troubleshooting last updated July 27, 2006

Session support in PHP consists of a way to preserve certain data across subsequent accesses. This enables you to build more customized applications and increase the appeal of your web site.

This path is defined in /etc/php.ini file and all data related to a particular session will be stored in a file in the directory specified by the session.save_path option.

After installing phpMyAdmin I was able to login but unable to select or modify tables. First, I thought I made some configuration errors, and then I reinstalled phpMyAdmin again. It was not working at all.

Finally, php error log file provides me the answer with the following errors:

[26-Jul-2006 13:35:22] PHP Warning:  Unknown: open(/var/lib/php/session/sess_lLFJ,tk9eFs5PGtWKKf559oKFM3, O_RDWR) failed: Permission denied (13) in Unknown on line 0
[26-Jul-2006 13:35:22] PHP Warning:  Unknown: Failed to write session data (files). Please verify that the current setting of session.save_path is correct (/var/lib/php/session) in Unknown on line 0
[26-Jul-2006 13:35:40] PHP Warning:  Unknown: open(/var/lib/php/session/sess_lLFJ,tk9eFs5PGtWKKf559oKFM3, O_RDWR) failed: Permission denied (13) in Unknown on line 0

/var/lib/php/ has root:apache write permission combination. Since I had migrated from the Apache to Lighttpd web server, I forgot to set correct permission for session directory (php.ini – session.save_path directive). To change file owner and group permission you need to use the chown command as follows:
# chown root:lighttpd /var/lib/php/ -R

Now my phpMyAdmin is working fine.

Posted by: Vivek Gite

The author is the creator of nixCraft and a seasoned sysadmin and a trainer for the Linux operating system/Unix shell scripting. He has worked with global clients and in various industries, including IT, education, defense and space research, and the nonprofit sector. Follow him on Twitter, Facebook, Google+.

6 comment

    1. I agree… on /var/lib/php/session only Apache and root should have write permissions…
      Other may consider this an exploit and do some damage …

Comments are closed.