.ini config + *nix permissions

Kenneth Dombrowski kenneth at
Sun Feb 2 21:09:00 EST 2003


I've been going over my PHP configuration, and have a few questions 
mostly arising from my general newbieness to linux administration.

My setup consists of a bunch of VirtualHosts, all with pretty much the 
same configuration[1] and directory structure[2]. The development 
machine is running PHP 4.2.3 and the server machine 4.1.2 (debian 
backports 4.2.3-9 & 4.1.2-6 actually); the only difference between their 
configurations is the error handling.

I have a pretty conservative php.ini, figuring it's probably easier to 
never rely on register_globals etc from the start than to have to 
convert scripts later to run on some ISP's virtual host server. I 
incorporated most of the changes from php.ini-recommended (which came 
with the debian source package) & now I'm trying to isolate each of the 
vhosts as much as I can while sticking with mod_php. I plan to implement 
disk quotas so if one vhost goes haywire and starts a logging frenzy, it 
probably won't bring the whole machine down. For this I'm setting each 
VirtualHost's open_basedir option to its own directory, turning on safe 
mode, and moving PHP's error_log to a vhost-specific 'log' directory

It's mostly moving to safe mode that I'm having trouble with...


1. What is the recommended permission/ownership combination for allowing 
uploads/disk writes under safe mode?

I'm having a problem with letting scripts create directories 
recursively. My Apache runs as www-data:www-data, so the script itself 
is owned by anybody but that. (on my development box, it's me, on the 
"live" machine it's root). I've been playing around with some RSS/RDF 
stuff, and I want to cache the pages like this, becomes

The $cache_root is the directory called 'cache' in [2], below. I've 
tried different combinations of ownership & permissions, and I can allow 
www-data to write to a directory, but not to write to a directory that 
he creates within that directory. For some reason, relaxing 
"safe_mode_gid = On" and `chown -R kenneth:www-data cache; chmod g+s 
cache` doesn't work...


2. With error reporting set to E_ALL on the dev machine, I keep getting 
"Warning: open_basedir restriction in effect. File is in wrong directory 
in /var/www/ on line 9" even though 
open_basedir is set to "/var/www/" and the file i'm 
including lives in "/var/www/". Since it does in fact 
successfully include the file, I'm guessing this is normal 
extra-verbosity of E_ALL? (i don't think that setting's gonna last long..)


3. Can I change who PHP logs as when log_errors is On?

I'm kind of surprised that writing to error_log doesn't seem to be done 
by the same user as Apache's logging (root). In order to get logging to 
work so far, I've just manually touched the file & made it 
world-writable, which I guess is as safe as allowing uploads, etc, but I 
want to make sure that's the right way to do it before adjusting 
logrotate to maintain those permissions.


I hadn't thought of this until I saw Jerry's message from today. In my 
case, session.save_path defaults to /tmp, which is on its own partition, 
so I think the machine itself is pretty much protected from being taken 
down(?), though I guess all the websites using sessions could be 
effectively stopped. I considered moving session.save_path to the (to 
be) vhost-quotaed directory to at least keep a DoS'ed site from 
effecting the others, until I read "If session.save_path's path depth is 
more than 2, garbage collection will not be performed." on the manual's 
ref.session.php page.. anyway, I too would be interested in more about this

Any comments are welcome,

sorry for such a long message...


[1] This is the PHP-relevent sections of my VirtualHost directive block 
on the development box..

<VirtualHost *>
   DocumentRoot /var/www/
   <IfModule mod_php4.c>
     php_value include_path ".:/usr/share/pear:/var/www/"
     # safe_mode_include_dir = "/usr/share/pear" in httpd.conf
     php_admin_flag safe_mode on
     php_admin_flag safe_mode_gid on
   <Location />
     php_admin_value open_basedir "/var/www/"
     php_value error_log "/var/www/"
     php_value upload_tmp_dir "/var/www/"

[2] sample VirtualHost directory structure on development machine...

root at enlil:/var/www/ ls -l dev
total 24
drwxr-xr-x    2 kenneth  kenneth      4096 Jan 30 11:17 CVS
drwxrwxr-x    3 kenneth  www-data     4096 Jan 30 14:05 cache
drwxr-xr-x    5 kenneth  kenneth      4096 Feb  2 14:08 htdocs
drwxr-xr-x    2 kenneth  kenneth      4096 Feb  2 11:48 htpasswd
drwxr-xr-x    3 kenneth  kenneth      4096 Jan 30 15:10 lib
drwxr-xr-x    2 kenneth  kenneth      4096 Feb  2 14:09 log
drwx------    2 www-data www-data     4096 Feb  2 16:34 tmp

root at enlil:/var/www/ ls -l dev/log
total 40
-rw-r--r--    1 root     root        29903 Feb  2 14:09 access.log
-rw-r--r--    1 root     root         2228 Feb  2 14:09 error.log
-rw-r--r--    1 root     root            0 Feb  2 14:06 nimda.log
-rw-r--rw-    1 root     root          136 Feb  2 14:09 phperrors.log

More information about the talk mailing list