NYCPHP Meetup

NYPHP.org

.ini config + *nix permissions

Kenneth Dombrowski kenneth at ylayali.net
Sun Feb 2 21:09:00 EST 2003 

Hi,

I've been going over my PHP configuration, and have a few questions 
mostly arising from my general newbieness to linux administration.

My setup consists of a bunch of VirtualHosts, all with pretty much the 
same configuration[1] and directory structure[2]. The development 
machine is running PHP 4.2.3 and the server machine 4.1.2 (debian 
backports 4.2.3-9 & 4.1.2-6 actually); the only difference between their 
configurations is the error handling.

I have a pretty conservative php.ini, figuring it's probably easier to 
never rely on register_globals etc from the start than to have to 
convert scripts later to run on some ISP's virtual host server. I 
incorporated most of the changes from php.ini-recommended (which came 
with the debian source package) & now I'm trying to isolate each of the 
vhosts as much as I can while sticking with mod_php. I plan to implement 
disk quotas so if one vhost goes haywire and starts a logging frenzy, it 
probably won't bring the whole machine down. For this I'm setting each 
VirtualHost's open_basedir option to its own directory, turning on safe 
mode, and moving PHP's error_log to a vhost-specific 'log' directory

It's mostly moving to safe mode that I'm having trouble with...

SAFE_MODE

1. What is the recommended permission/ownership combination for allowing 
uploads/disk writes under safe mode?

I'm having a problem with letting scripts create directories 
recursively. My Apache runs as www-data:www-data, so the script itself 
is owned by anybody but that. (on my development box, it's me, on the 
"live" machine it's root). I've been playing around with some RSS/RDF 
stuff, and I want to cache the pages like this,

   http://www.theregister.co.uk/tonys/slashdot.rdf becomes
   $cache_root/www.theregister.co.uk/tonys/slashdot.rdf

The $cache_root is the directory called 'cache' in [2], below. I've 
tried different combinations of ownership & permissions, and I can allow 
www-data to write to a directory, but not to write to a directory that 
he creates within that directory. For some reason, relaxing 
"safe_mode_gid = On" and `chown -R kenneth:www-data cache; chmod g+s 
cache` doesn't work...

E_ALL

2. With error reporting set to E_ALL on the dev machine, I keep getting 
"Warning: open_basedir restriction in effect. File is in wrong directory 
in /var/www/kuboaa.org/dev/htdocs/portal.php on line 9" even though 
open_basedir is set to "/var/www/kuboaa.org/dev/" and the file i'm 
including lives in "/var/www/kuboaa.org/dev/lib". Since it does in fact 
successfully include the file, I'm guessing this is normal 
extra-verbosity of E_ALL? (i don't think that setting's gonna last long..)

ERROR_LOG

3. Can I change who PHP logs as when log_errors is On?

I'm kind of surprised that writing to error_log doesn't seem to be done 
by the same user as Apache's logging (root). In order to get logging to 
work so far, I've just manually touched the file & made it 
world-writable, which I guess is as safe as allowing uploads, etc, but I 
want to make sure that's the right way to do it before adjusting 
logrotate to maintain those permissions.


SESSIONS/TMP

I hadn't thought of this until I saw Jerry's message from today. In my 
case, session.save_path defaults to /tmp, which is on its own partition, 
so I think the machine itself is pretty much protected from being taken 
down(?), though I guess all the websites using sessions could be 
effectively stopped. I considered moving session.save_path to the (to 
be) vhost-quotaed directory to at least keep a DoS'ed site from 
effecting the others, until I read "If session.save_path's path depth is 
more than 2, garbage collection will not be performed." on the manual's 
ref.session.php page.. anyway, I too would be interested in more about this


Any comments are welcome,

sorry for such a long message...

Kenneth



[1] This is the PHP-relevent sections of my VirtualHost directive block 
on the development box..

<VirtualHost *>
   ServerName local.kuboaa.org
   DocumentRoot /var/www/kuboaa.org/dev/htdocs
   <IfModule mod_php4.c>
     php_value include_path ".:/usr/share/pear:/var/www/kuboaa.org/dev/lib"
     # safe_mode_include_dir = "/usr/share/pear" in httpd.conf
     php_admin_flag safe_mode on
     php_admin_flag safe_mode_gid on
   </IfModule>
   <Location />
     php_admin_value open_basedir "/var/www/kuboaa.org/dev/"
     php_value error_log "/var/www/kuboaa.org/dev/log/phperrors.log"
     php_value upload_tmp_dir "/var/www/kuboaa.org/dev/tmp"
   </Location>
</VirtualHost>


[2] sample VirtualHost directory structure on development machine...

root at enlil:/var/www/kuboaa.org# ls -l dev
total 24
drwxr-xr-x    2 kenneth  kenneth      4096 Jan 30 11:17 CVS
drwxrwxr-x    3 kenneth  www-data     4096 Jan 30 14:05 cache
drwxr-xr-x    5 kenneth  kenneth      4096 Feb  2 14:08 htdocs
drwxr-xr-x    2 kenneth  kenneth      4096 Feb  2 11:48 htpasswd
drwxr-xr-x    3 kenneth  kenneth      4096 Jan 30 15:10 lib
drwxr-xr-x    2 kenneth  kenneth      4096 Feb  2 14:09 log
drwx------    2 www-data www-data     4096 Feb  2 16:34 tmp

root at enlil:/var/www/kuboaa.org# ls -l dev/log
total 40
-rw-r--r--    1 root     root        29903 Feb  2 14:09 access.log
-rw-r--r--    1 root     root         2228 Feb  2 14:09 error.log
-rw-r--r--    1 root     root            0 Feb  2 14:06 nimda.log
-rw-r--rw-    1 root     root          136 Feb  2 14:09 phperrors.log

More information about the talk mailing list