What permissions / ownership to set on PHP Sessions Folder when running FastCGI / PHP-FPM (as user "nobody")?

security linux php centos

The correct permissions for us where

chown -R nobody:nogroup /var/lib/php/session

as php-cgi runs as nobody, even though NGinx runs as user nginx


If you use nginx you might run into this when running a system update.

Sometimes when you update the system, the group of /var/lib/php/session is changed to apache.

Try executing sudo chgrp nginx /var/lib/php/* instead of setting permissions to 777 which is a bad practice.

That worked for me at least.


Use /etc/php.ini session.save_path directive.

A temporary solution is to set the permissions of /var/lib/php/session to 777 - I have a feeling that's not the "best practice" though.

"If you leave this set to a world-readable directory, other users on the server may be able to hijack sessions by getting the list of files in that directory. "


I had to create folder with 0700 rights in /var/lib/php/session for each php-fpm pool.

Owner of this folder is user and group from php-fpm pool.

And /var/lib/php/session now 0777.

I think this method is most secure. Only php-fpm pool user will see this sessions.

Related

How to assign a hostname to SSH tunnel
How do I find out the recent SSH logins for Centos and their IP address?
Git clone/pull across local network [closed]
How to start a service with certain start parameters on Windows
Is carpet, or another floor covering, appropriate for a server room?
Getting a list of all the snapshots in VMs managed by vCenter?
Command line active directory query email address for username
Linux shell command to filter a text file by line length
How can artificially create a slow query in mysql?
How To limit Nginx Auth_Basic re-tries?
How can Let's Encrypt verify the identity over insecure http?
Determining PostgreSQL's port