3

Any ideas on why apache (httpd) creates these files in /tmp? I'm on Redhat 5.5 and Apache 2.2, mpm-prefork.

-rw-------. 1 apache   apache       0 Aug 14 12:46 filec1puD5
-rw-------. 1 apache   apache       0 Aug 14 12:46 fileKJqaih
-rw-------. 1 apache   apache       0 Aug 14 12:46 fileB7j9Ws
-rw-------. 1 apache   apache       0 Aug 14 12:46 file1o7MCE
-rw-------. 1 apache   apache       0 Aug 14 12:46 filefqAvjQ
-rw-------. 1 apache   apache       0 Aug 14 12:46 filexjpv01

Sometimes, I see dozens of these, and I always delete them, but haven't found anything on why or how these files are generated in the first place. Error logs look clean, albeit, they're set to Error.

Update: Application is Drupal 7, running on PHP 5.3.2.

KM.
  • 1,746
  • 2
  • 18
  • 31
  • 2
    These could be files written by applications running on it or apache itself could be creating them for sessions/fileuploads.. – Chida Aug 14 '12 at 18:15
  • @Chida: Thanks for dropping in. Should these file be deleted when the application is done with the sessions/file uploads? It doesn't appear to be. Updated my question with application info. – KM. Aug 14 '12 at 18:29

2 Answers2

2

/tmp is PHP's default folder for session data. You can change this by editing the "session_save_path" in your php.ini file. The being said, various scripts could write various session data here.

There are cases where lax permissions in this folder have led to vulnerabilities (UID/Symlink attacks), so if you suspect these files don't line up with what your PHP application is expected to be doing, I might recommend redirecting your PHP sesion files and watching this area closely.

Univ426
  • 2,139
  • 14
  • 26
  • Are these files recycled after the process/session ends? They don't appear to be. Is there a way to tie a file to a process/session? `lsof`? – KM. Aug 23 '12 at 14:04
  • 1
    You could in theory use lsof to see what process ID touches the files, however I wouldn't know how to translate that PID into a PHP sessions, maybe someone else here does. As for grabage collection, my understanding is PHP does include session files in it's cleanup routines. If they aren't being removed I'd look into why they're not being included. http://www.appnovation.com/session-garbage-collection-php – Univ426 Aug 24 '12 at 00:37
-1

Typically session files are written as sess_xxx. These files may be temporary remnants of file uploads. When a enduser uploads a file, these files are written to /tmp and once completely uploaded, they are moved off to their actual destination.

Can you try doing a less on these files? I'm not sure if these files are binary. Also run file command on any of these files.

Chida
  • 2,471
  • 1
  • 16
  • 29