I am curious about
Why cron is used to cleanup session files in Ubuntu?
I have researched over it and found two links saying that
"for the security purpose sessions are kept under root permissions. Because of that PHP Garbage Collector is not able to clean up the expired session files. For cleaning such files php has cron job which runs after every 30 minutes."
2. Debian Bug report logs - #267720
Apache has www-data user, so I think PHP module is also running for www-data user(Not sure about this).
If this is the condition, How can PHP access the session directory which has root owner to create/read session files?
Does PHP run with root permissions even though apache has www-data user? If PHP runs with root permissions, then how GC failed to read session files from sessions directory which has root owner.
Or Does GC run with www-data user and PHP run with root user?
Addition to that:
I have checked the user and owner of created file in the /var/lib/php/sessions and it shows www-data:www-data for the created session file.
The permissions for /var/lib/php/sessions are drwx-wx-wt
i.e. it has sticky bit "t"
Sticky Bit:
The sticky bit is a permission bit that protects the files within a directory. If the directory has the sticky bit set, a file can be deleted only by the owner of the file, the owner of the directory, or by root. This special permission prevents a user from deleting other users' files. reference
Now, the question is under which user GC is running? If it is running under www-data, why it is not able to delete session files?