.ini config + *nix permissions
kenneth at ylayali.net
Sun Feb 2 21:09:00 EST 2003
I've been going over my PHP configuration, and have a few questions
mostly arising from my general newbieness to linux administration.
My setup consists of a bunch of VirtualHosts, all with pretty much the
same configuration and directory structure. The development
machine is running PHP 4.2.3 and the server machine 4.1.2 (debian
backports 4.2.3-9 & 4.1.2-6 actually); the only difference between their
configurations is the error handling.
I have a pretty conservative php.ini, figuring it's probably easier to
never rely on register_globals etc from the start than to have to
convert scripts later to run on some ISP's virtual host server. I
incorporated most of the changes from php.ini-recommended (which came
with the debian source package) & now I'm trying to isolate each of the
vhosts as much as I can while sticking with mod_php. I plan to implement
disk quotas so if one vhost goes haywire and starts a logging frenzy, it
probably won't bring the whole machine down. For this I'm setting each
VirtualHost's open_basedir option to its own directory, turning on safe
mode, and moving PHP's error_log to a vhost-specific 'log' directory
It's mostly moving to safe mode that I'm having trouble with...
1. What is the recommended permission/ownership combination for allowing
uploads/disk writes under safe mode?
I'm having a problem with letting scripts create directories
recursively. My Apache runs as www-data:www-data, so the script itself
is owned by anybody but that. (on my development box, it's me, on the
"live" machine it's root). I've been playing around with some RSS/RDF
stuff, and I want to cache the pages like this,
The $cache_root is the directory called 'cache' in , below. I've
tried different combinations of ownership & permissions, and I can allow
www-data to write to a directory, but not to write to a directory that
he creates within that directory. For some reason, relaxing
"safe_mode_gid = On" and `chown -R kenneth:www-data cache; chmod g+s
cache` doesn't work...
2. With error reporting set to E_ALL on the dev machine, I keep getting
"Warning: open_basedir restriction in effect. File is in wrong directory
in /var/www/kuboaa.org/dev/htdocs/portal.php on line 9" even though
open_basedir is set to "/var/www/kuboaa.org/dev/" and the file i'm
including lives in "/var/www/kuboaa.org/dev/lib". Since it does in fact
successfully include the file, I'm guessing this is normal
extra-verbosity of E_ALL? (i don't think that setting's gonna last long..)
3. Can I change who PHP logs as when log_errors is On?
I'm kind of surprised that writing to error_log doesn't seem to be done
by the same user as Apache's logging (root). In order to get logging to
work so far, I've just manually touched the file & made it
world-writable, which I guess is as safe as allowing uploads, etc, but I
want to make sure that's the right way to do it before adjusting
logrotate to maintain those permissions.
I hadn't thought of this until I saw Jerry's message from today. In my
case, session.save_path defaults to /tmp, which is on its own partition,
so I think the machine itself is pretty much protected from being taken
down(?), though I guess all the websites using sessions could be
effectively stopped. I considered moving session.save_path to the (to
be) vhost-quotaed directory to at least keep a DoS'ed site from
effecting the others, until I read "If session.save_path's path depth is
more than 2, garbage collection will not be performed." on the manual's
ref.session.php page.. anyway, I too would be interested in more about this
Any comments are welcome,
sorry for such a long message...
 This is the PHP-relevent sections of my VirtualHost directive block
on the development box..
php_value include_path ".:/usr/share/pear:/var/www/kuboaa.org/dev/lib"
# safe_mode_include_dir = "/usr/share/pear" in httpd.conf
php_admin_flag safe_mode on
php_admin_flag safe_mode_gid on
php_admin_value open_basedir "/var/www/kuboaa.org/dev/"
php_value error_log "/var/www/kuboaa.org/dev/log/phperrors.log"
php_value upload_tmp_dir "/var/www/kuboaa.org/dev/tmp"
 sample VirtualHost directory structure on development machine...
root at enlil:/var/www/kuboaa.org# ls -l dev
drwxr-xr-x 2 kenneth kenneth 4096 Jan 30 11:17 CVS
drwxrwxr-x 3 kenneth www-data 4096 Jan 30 14:05 cache
drwxr-xr-x 5 kenneth kenneth 4096 Feb 2 14:08 htdocs
drwxr-xr-x 2 kenneth kenneth 4096 Feb 2 11:48 htpasswd
drwxr-xr-x 3 kenneth kenneth 4096 Jan 30 15:10 lib
drwxr-xr-x 2 kenneth kenneth 4096 Feb 2 14:09 log
drwx------ 2 www-data www-data 4096 Feb 2 16:34 tmp
root at enlil:/var/www/kuboaa.org# ls -l dev/log
-rw-r--r-- 1 root root 29903 Feb 2 14:09 access.log
-rw-r--r-- 1 root root 2228 Feb 2 14:09 error.log
-rw-r--r-- 1 root root 0 Feb 2 14:06 nimda.log
-rw-r--rw- 1 root root 136 Feb 2 14:09 phperrors.log
More information about the talk