PHP cannot read sessions from NFS share

Question

I\'m storing my PHP session files on a NFS share. The issue is, that PHP always creates an empty session file, but cannot read/write from it, so for each page reload a new f

Answer 1

I think I have found the root cause of this issue, which I also ran into when upgrading from PHP 5.5.10 to 5.6.5.

The PHP 5.5.12 changelog lists the following bugfix:

When the session.save_path is a directory that everyone can write into (like on Debian), even if it's not possible to find the IDs of existing sessions, a local attacker can just create a new session file with malicious session data, chmod it to 666 and access any webapp hosted on the system with the session ID he chose. The webapp then opens the session file and treats it as if it had created it. My fix: fstat() the session, check the uid that created the file. If it's neither the result of getuid() nor uid 0, ignore the existing file.

In a nutshell, they stop writing session data if they discover the newly created session file is not owned by the user account running Apache, or root. Which is rather ridiculous, as NFS implements its security at different levels, but is normally deployed with the remote UID/GID mappings, and oft squashed. Thus the Apache user doesn't own the file anymore from the microsecond it has created it. This means that, from PHP 5.5.12 onwards (or 5.4.28 which contains the same 'fix'), it's become impossible to store session data on most stock NFS servers.