NYCPHP Meetup

[Hans Zaunere]

--- Kenneth Dombrowski <kenneth at ylayali.net> wrote:
> 
> Hi,
> 
> I've been going over my PHP configuration, and have a few questions 
> mostly arising from my general newbieness to linux administration.
> 
> My setup consists of a bunch of VirtualHosts, all with pretty much the 
> same configuration[1] and directory structure[2]. The development 
> machine is running PHP 4.2.3 and the server machine 4.1.2 (debian 
> backports 4.2.3-9 & 4.1.2-6 actually); the only difference between their 
> configurations is the error handling.
> 
> I have a pretty conservative php.ini, figuring it's probably easier to 
> never rely on register_globals etc from the start than to have to 
> convert scripts later to run on some ISP's virtual host server. I 
> incorporated most of the changes from php.ini-recommended (which came 
> with the debian source package) & now I'm trying to isolate each of the 
> vhosts as much as I can while sticking with mod_php. I plan to implement 
> disk quotas so if one vhost goes haywire and starts a logging frenzy, it 
> probably won't bring the whole machine down. For this I'm setting each 
> VirtualHost's open_basedir option to its own directory, turning on safe 
> mode, and moving PHP's error_log to a vhost-specific 'log' directory
> 
> It's mostly moving to safe mode that I'm having trouble with...
> 
> SAFE_MODE
> 
> 1. What is the recommended permission/ownership combination for allowing 
> uploads/disk writes under safe mode?
> 
> I'm having a problem with letting scripts create directories 
> recursively. My Apache runs as www-data:www-data, so the script itself 
> is owned by anybody but that. (on my development box, it's me, on the 
> "live" machine it's root).

I'd hesitate having anything owned by root.  Although there is no immeditatly
apparent issues, UNIX security falls apart when it sees a UID of 0.  I
generally have Apache run as another user (www-data in your case) then set
the scripts owned by another user and apache's group, with g+r so that apache
can read them.

> I've been playing around with some RSS/RDF 
> stuff, and I want to cache the pages like this,
> 
>    http://www.theregister.co.uk/tonys/slashdot.rdf becomes
>    $cache_root/www.theregister.co.uk/tonys/slashdot.rdf
> 
> The $cache_root is the directory called 'cache' in [2], below. I've 
> tried different combinations of ownership & permissions, and I can allow 
> www-data to write to a directory, but not to write to a directory that 
> he creates within that directory. For some reason, relaxing 
> "safe_mode_gid = On" and `chown -R kenneth:www-data cache; chmod g+s 
> cache` doesn't work...

Although I'm not 100%, safe_mode_gid may only examine the user's primary
group (not the additional groups listed in id username for example). 
Although be careful with the +s bit as some strange behavior can occur (see
man 1 chmod and man 2 chmod).

> E_ALL
> 
> 2. With error reporting set to E_ALL on the dev machine, I keep getting 
> "Warning: open_basedir restriction in effect. File is in wrong directory 
> in /var/www/kuboaa.org/dev/htdocs/portal.php on line 9" even though 
> open_basedir is set to "/var/www/kuboaa.org/dev/" and the file i'm 
> including lives in "/var/www/kuboaa.org/dev/lib". Since it does in fact 
> successfully include the file, I'm guessing this is normal 
> extra-verbosity of E_ALL? (i don't think that setting's gonna last long..)

Odd behavior... be aware of what context PHP directives can be set in (system
wide, directory wide, etc:
http://www.php.net/manual/en/features.safe-mode.php and
http://www.php.net/manual/en/configuration.changes.php).  I've run into
trouble with getting these all right.

> ERROR_LOG
> 
> 3. Can I change who PHP logs as when log_errors is On?

I don't believe so... not without something like suEXEC for Apache.

> I'm kind of surprised that writing to error_log doesn't seem to be done 
> by the same user as Apache's logging (root). In order to get logging to 
> work so far, I've just manually touched the file & made it 
> world-writable, which I guess is as safe as allowing uploads, etc, but I 
> want to make sure that's the right way to do it before adjusting 
> logrotate to maintain those permissions.
> 
> 
> SESSIONS/TMP
> 
> I hadn't thought of this until I saw Jerry's message from today. In my 
> case, session.save_path defaults to /tmp, which is on its own partition, 
> so I think the machine itself is pretty much protected from being taken 
> down(?), though I guess all the websites using sessions could be 
> effectively stopped. I considered moving session.save_path to the (to 
> be) vhost-quotaed directory to at least keep a DoS'ed site from 
> effecting the others, until I read "If session.save_path's path depth is 
> more than 2, garbage collection will not be performed." on the manual's 
> ref.session.php page.. anyway, I too would be interested in more about this
> 
> 
> Any comments are welcome,
> 
> sorry for such a long message...
> 
> Kenneth
> 
> 
> 
> [1] This is the PHP-relevent sections of my VirtualHost directive block 
> on the development box..
> 
> <VirtualHost *>
>    ServerName local.kuboaa.org
>    DocumentRoot /var/www/kuboaa.org/dev/htdocs
>    <IfModule mod_php4.c>
>      php_value include_path ".:/usr/share/pear:/var/www/kuboaa.org/dev/lib"
>      # safe_mode_include_dir = "/usr/share/pear" in httpd.conf
>      php_admin_flag safe_mode on
>      php_admin_flag safe_mode_gid on
>    </IfModule>
>    <Location />
>      php_admin_value open_basedir "/var/www/kuboaa.org/dev/"
>      php_value error_log "/var/www/kuboaa.org/dev/log/phperrors.log"
>      php_value upload_tmp_dir "/var/www/kuboaa.org/dev/tmp"
>    </Location>
> </VirtualHost>

I've found it's better to use <Directory directives whereever possible.

> [2] sample VirtualHost directory structure on development machine...
> 
> root at enlil:/var/www/kuboaa.org# ls -l dev
> total 24
> drwxr-xr-x    2 kenneth  kenneth      4096 Jan 30 11:17 CVS
> drwxrwxr-x    3 kenneth  www-data     4096 Jan 30 14:05 cache
> drwxr-xr-x    5 kenneth  kenneth      4096 Feb  2 14:08 htdocs
> drwxr-xr-x    2 kenneth  kenneth      4096 Feb  2 11:48 htpasswd
> drwxr-xr-x    3 kenneth  kenneth      4096 Jan 30 15:10 lib
> drwxr-xr-x    2 kenneth  kenneth      4096 Feb  2 14:09 log
> drwx------    2 www-data www-data     4096 Feb  2 16:34 tmp
> 
> root at enlil:/var/www/kuboaa.org# ls -l dev/log
> total 40
> -rw-r--r--    1 root     root        29903 Feb  2 14:09 access.log
> -rw-r--r--    1 root     root         2228 Feb  2 14:09 error.log
> -rw-r--r--    1 root     root            0 Feb  2 14:06 nimda.log
> -rw-r--rw-    1 root     root          136 Feb  2 14:09 phperrors.log


Best,

H