From owner-freebsd-ports@FreeBSD.ORG  Thu Sep 10 18:50:02 2009
Return-Path: <owner-freebsd-ports@FreeBSD.ORG>
Delivered-To: freebsd-ports@hub.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id EDE7C1065670
	for <freebsd-ports@hub.freebsd.org>;
	Thu, 10 Sep 2009 18:50:02 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org
	[IPv6:2001:4f8:fff6::28])
	by mx1.freebsd.org (Postfix) with ESMTP id DD0888FC0A
	for <freebsd-ports@hub.freebsd.org>;
	Thu, 10 Sep 2009 18:50:02 +0000 (UTC)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id n8AIo2jq071381
	for <freebsd-ports@freefall.freebsd.org>; Thu, 10 Sep 2009 18:50:02 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.14.3/8.14.3/Submit) id n8AIo265071380;
	Thu, 10 Sep 2009 18:50:02 GMT (envelope-from gnats)
Date: Thu, 10 Sep 2009 18:50:02 GMT
Message-Id: <200909101850.n8AIo265071380@freefall.freebsd.org>
To: freebsd-ports@FreeBSD.org
From: Miroslav Lachman <000.fbsd@quip.cz>
Cc: 
Subject: Re: ports/138698: lang/php5: PHP session.save_path vulnerability
X-BeenThere: freebsd-ports@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: Miroslav Lachman <000.fbsd@quip.cz>
List-Id: Porting software to FreeBSD <freebsd-ports.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports>,
	<mailto:freebsd-ports-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ports>
List-Post: <mailto:freebsd-ports@freebsd.org>
List-Help: <mailto:freebsd-ports-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports>,
	<mailto:freebsd-ports-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Sep 2009 18:50:03 -0000

The following reply was made to PR ports/138698; it has been noted by GNATS.

From: Miroslav Lachman <000.fbsd@quip.cz>
To: bug-followup@FreeBSD.org,  andzinsm@volt.iem.pw.edu.pl
Cc:  
Subject: Re: ports/138698: lang/php5: PHP session.save_path vulnerability
Date: Thu, 10 Sep 2009 20:49:14 +0200

 Yes, it is clear now and with owner root, it works.
 
 I propose to make this optional, as somebody has /tmp optimized for 
 better speed (another disk device, flash device, RAM disk etc.) but not 
 /var/lib/php5.
 And FreeBSD doesn't have /var/lib by default. /var/lib/* is mostly used 
 by some Linux distributions). I am not sure if it is the right place to 
 put these files, according to man hier(7).
 Next thing to think about is, that /tmp is (or easily can be) cleared at 
 system startup, but /var/*/* not.
 If we do some change in default php.ini, it affects more then just 
 "files are moved to another place", so things need to be done carefully.
 
 Maybe leave the default as is and put these hardening steps in comments 
 in php.ini, then anybody can make own decision.