potential problem of AbstractLockedCommand in certain hosting environments

[fritzmg]

Currently, the location of the lock files for the AbstractLockedCommand is created like this:

contao/core-bundle/src/Command/AbstractLockedCommand.php

Line 60 in 19db085

$tmpDir = sys_get_temp_dir().'/'.md5($container->getParameter('kernel.project_dir'));

This could be a problem in shared hosting environments, where websites are located within the user's /home directory.

For example user A creates a Contao 4 website in /home/www/contao4.

When a user B on the same server tries to do the same, he might encounter the following problem

Error thrown while running command "contao:install-web-dir --env=prod". Message: "The directory "/tmp/51d08576c1a6c36f0b6b9881a08042ec" is not writable." ["exception" => Symfony\Component\Filesystem\Exception\IOException { …},"command" => "contao:install-web-dir --env=prod","message" => "The directory "/tmp/51d08576c1a6c36f0b6b9881a08042ec" is not writable."]

In LockHandler.php line 56:

  The directory "/tmp/51d08576c1a6c36f0b6b9881a08042ec" is not writable.

since $container->getParameter('kernel.project_dir') will simply be /home/www/contao4 for both users, but that directory was already created for user A and thus user B has no access rights for that directory.

Of course this is only a problem if two users on the same server happen to use the same directory name for their Contao 4 installation (chosing the name "contao" or "contao4" seems pretty common from what I have seen though).

Related:

• [RFC] change lock file directory core-bundle#1605
• Allow to customize tmp dir #143

[leofeyer]

How can the installation path of two different users ever be the same? Would it not be /home/www/userA/contao4 and /home/www/userB/contao4?

[BugBuster1701]

Both have the same Temp directory "/tmp".
Directory "51d08576c1a6c36f0b6b9881a08042ec" was created by user A. Now user B wants to create it with the same name.

But right, shouldn't "kernel.project_dir" be different?

[leofeyer]

Yes, but how can the md5 hash be the same? The cannot both use /home/www/contao4 for their installation, can they?

[fritzmg]

They can. I am no expert in Linux administration so I don't know how this is done, but at least on the shared hosting servers of webgo, the user home directory is simply

/home

Thus kernel.project_dir will not contain the username.

Though may be webgo uses virtualisation? If so, then it would not be an issue there.

[leofeyer]

I see. They are using a chroot environment but apparently they are not mapping the php.ini parameter sys_temp_dir into this chroot environment? Can you check with them if this is intended?

[fritzmg]

webgo might, I was using webgo just as an example. But a user had the problem mentioned above ("The directory "/tmp/51d08576c1a6c36f0b6b9881a08042ec" is not writable.") on a different hoster. The hoster said that directory already belonged to another user. I wondered how that could be, hence the investigation and issue. May be that hoster is not properly mapping the temp directory into that chroot environment.

[m-vo]

Just wondering if realpath(sys_get_temp_dir()) would return anything different? (resolving the symlink to the real path)

[Toflar]

sys_temp_dir just must be configured correctly. We have to be able to rely on that. And /tmp is certainly not correct on a shared hosting.

[fritzmg]

And /tmp is certainly not correct on a shared hosting.

It isn't? Haven't seen anything else so far :)

[Toflar]

It must be a temporary dir per user, otherwise that's a potential security issue. Uberspace also had to fix that lately (https://blog.uberspace.de/2019-php-sicherheitslucke/ - in German).

[fritzmg]

Agreed :)