On Thu, 10 Sep 2009 18:50:02 GMT, Miroslav Lachman wrote > The following reply was made to PR ports/138698; it has > been noted by GNATS. > > From: Miroslav Lachman <000.f...@quip.cz> > To: bug-follo...@freebsd.org, andzi...@volt.iem.pw.edu.pl > Cc: > Subject: Re: ports/138698: lang/php5: PHP > session.save_path vulnerability > Date: Thu, 10 Sep 2009 20:49:14 +0200 > > Yes, it is clear now and with owner root, it works. > > I propose to make this optional, as somebody has /tmp > optimized for better speed (another disk device, flash > device, RAM disk etc.) but not /var/lib/php5. And FreeBSD > doesn't have /var/lib by default. /var/lib/* is mostly > used by some Linux distributions). I am not sure if it is > the right place to put these files, according to man > hier(7). Next thing to think about is, that /tmp is (or > easily can be) cleared at system startup, but /var/*/* > not. If we do some change in default php.ini, it affects > more then just "files are moved to another place", so > things need to be done carefully. > > Maybe leave the default as is and put these hardening > steps in comments in php.ini, then anybody can make own decision.
UPDATING msg would be in place, too IMO. -- Piotr Smyrak piotr.smy...@heron.pl _______________________________________________ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"