[Pkg-roundcube-maintainers] Bug#907260: roundcube: database table `session` is never cleaned and grows without limit

Symphorien Gibol symphorien at xlumurb.eu
Sat Aug 25 15:19:06 BST 2018 

Package: roundcube
Version: 1.3.6+dfsg.1-1
Severity: normal

Dear Maintainer,

The table `session` of my roundcube database contained several months
worth of sessions, even though the lifetime of a session is 1200 seconds
(the default I think). This made this sole table more than 100MB.

Actual behavior: the last oldest row in the table is more than 8  months
old.
Expected behavior: the last oldest row in the table is not more than a
few days old (that is a few times $session_lifetime).

The reason of the problem seems to be the following: according to
https://github.com/roundcube/roundcubemail/issues/1864 roundcube relies
on vanilla php session gc. Debian disables it by setting
session.gc_probability to 0 and replaces it by a custom
phpsessionclean.{service,timer}. This script unfortunately only works on
sessions stored as files, and therefore does not clean roundcube
sessions.

I have implemented the following solution: roundcube ships a script to
gc manually: /usr/share/roundcube/bin/gc.sh
Unfortunately this script is slightly broken: when run I get
ERROR: Configuration error. Unsupported database driver: 
According to strace, this script looks for roundcube's configuration
in /usr/share/roundcube/config/ instead of /etc/roundcube
Workaround:
ln -s /etc/roundcube/ /usr/share/roundcube/config
Similarly, I needed ln -s /tmp/ /usr/share/roundcube/temp
Then, bin/gc.sh works and I can make a systemd timer like
phpsessionclean:
# /etc/systemd/system/roundcube-gc.service
[Unit]
Description=Clean roundcube session table

[Service]
User=www-data
Type=oneshot
ExecStart=/usr/share/roundcube/bin/gc.sh
ProtectHome=true
ProtectSystem=true
PrivateTmp=true
# /etc/systemd/system/roundcube-gc.timer
[Unit]
Description=Clean roundcube session table every 30 mins

[Timer]
OnCalendar=*-*-* *:09,39:00
Persistent=true

[Install]
WantedBy=timers.target

I have been unable to trigger session gc by the vanilla php mechanism,
either in the nginx config or in /etc/php/7.2/fpm/php.ini, even with 
session.gc_probability=1
session.gc_divisor=1

To sum up, it would be nice to fix bin/gc.sh and ship a timer to run it
periodically, possibly by default.

Thanks

-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.17.0-1-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages roundcube depends on:
ii  dpkg            1.19.0.5+b1
ii  roundcube-core  1.3.6+dfsg.1-1

roundcube recommends no packages.

roundcube suggests no packages.

Versions of packages roundcube-core depends on:
ii  dbconfig-common         2.0.9
ii  debconf [debconf-2.0]   1.5.69
ii  dpkg                    1.19.0.5+b1
ii  libmagic1               1:5.34-2
ii  php                     1:7.2+62
ii  php-auth-sasl           1.0.6-3
ii  php-common              1:62
ii  php-intl                1:7.2+62
ii  php-mail-mime           1.10.2-0.1
ii  php-net-sieve           1.4.1-1
ii  php-net-smtp            1.8.0-1
ii  php-net-socket          1.0.14-2
ii  php-pear                1:1.10.5+submodules+notgz-1
ii  php7.2 [php]            7.2.9-1
ii  php7.2-cli [php-cli]    7.2.9-1
ii  php7.2-intl [php-intl]  7.2.9-1
ii  php7.2-json [php-json]  7.2.9-1
ii  roundcube-pgsql         1.3.6+dfsg.1-1
ii  ucf                     3.0038

Versions of packages roundcube-core recommends:
ii  nginx-full [httpd-cgi]      1.13.12-1
ii  php-fpm                     1:7.2+62
ii  php-gd                      1:7.2+62
ii  php-pspell                  1:7.2+62
ii  php7.2-fpm [php-fpm]        7.2.9-1
ii  php7.2-gd [php-gd]          7.2.9-1
ii  php7.2-pspell [php-pspell]  7.2.9-1

Versions of packages roundcube-core suggests:
pn  php-crypt-gpg      <none>
pn  php-net-ldap2      <none>
pn  php-net-ldap3      <none>
ii  roundcube-plugins  1.3.6+dfsg.1-1

-- debconf information:
  roundcube/dbconfig-reinstall: false
  roundcube/remote/port:
  roundcube/remote/newhost: localhost
  roundcube/pgsql/method: TCP/IP
  roundcube/dbconfig-upgrade: true
  roundcube/pgsql/authmethod-user: password
  roundcube/mysql/admin-user:
  roundcube/upgrade-error: abort
  roundcube/missing-db-package-error: abort
  roundcube/reconfigure-webserver: apache2, lighttpd
  roundcube/hosts:
  roundcube/db/basepath:
  roundcube/upgrade-backup: true
  roundcube/dbconfig-remove: true
  roundcube/remove-error: abort
  roundcube/install-error: abort
  roundcube/internal/skip-preseed: false
  roundcube/pgsql/authmethod-admin: ident
  roundcube/language: en_US
  roundcube/pgsql/changeconf: false
* roundcube/database-type: pgsql
  roundcube/internal/reconfiguring: false
  roundcube/db/dbname: roundcube
  roundcube/mysql/method: Unix socket
  roundcube/db/app-user: roundcube at localhost
  roundcube/pgsql/no-empty-passwords:
  roundcube/pgsql/manualconf:
  roundcube/pgsql/admin-user: postgres
  roundcube/restart-webserver: true
* roundcube/remote/host: localhost
  roundcube/purge: false
* roundcube/dbconfig-install: true
  roundcube/passwords-do-not-match:

More information about the Pkg-roundcube-maintainers mailing list