-
-
Notifications
You must be signed in to change notification settings - Fork 158
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
potential problem of AbstractLockedCommand in certain hosting environments #267
Comments
How can the installation path of two different users ever be the same? Would it not be |
Both have the same Temp directory "/tmp". But right, shouldn't "kernel.project_dir" be different? |
Yes, but how can the md5 hash be the same? The cannot both use |
They can. I am no expert in Linux administration so I don't know how this is done, but at least on the shared hosting servers of webgo, the user home directory is simply
Thus Though may be webgo uses virtualisation? If so, then it would not be an issue there. |
I see. They are using a chroot environment but apparently they are not mapping the php.ini parameter |
webgo might, I was using webgo just as an example. But a user had the problem mentioned above ("The directory "/tmp/51d08576c1a6c36f0b6b9881a08042ec" is not writable.") on a different hoster. The hoster said that directory already belonged to another user. I wondered how that could be, hence the investigation and issue. May be that hoster is not properly mapping the temp directory into that chroot environment. |
Just wondering if |
|
It isn't? Haven't seen anything else so far :) |
It must be a temporary dir per user, otherwise that's a potential security issue. Uberspace also had to fix that lately (https://blog.uberspace.de/2019-php-sicherheitslucke/ - in German). |
Agreed :) |
Currently, the location of the lock files for the
AbstractLockedCommand
is created like this:contao/core-bundle/src/Command/AbstractLockedCommand.php
Line 60 in 19db085
This could be a problem in shared hosting environments, where websites are located within the user's
/home
directory.For example user A creates a Contao 4 website in
/home/www/contao4
.When a user B on the same server tries to do the same, he might encounter the following problem
since
$container->getParameter('kernel.project_dir')
will simply be/home/www/contao4
for both users, but that directory was already created for user A and thus user B has no access rights for that directory.Of course this is only a problem if two users on the same server happen to use the same directory name for their Contao 4 installation (chosing the name "contao" or "contao4" seems pretty common from what I have seen though).
Related:
The text was updated successfully, but these errors were encountered: