[nycphp-talk] .ini config + *nix permissions
zaunere at yahoo.com
Mon Feb 3 23:21:42 EST 2003
--- Kenneth Dombrowski <kenneth at ylayali.net> wrote:
> I've been going over my PHP configuration, and have a few questions
> mostly arising from my general newbieness to linux administration.
> My setup consists of a bunch of VirtualHosts, all with pretty much the
> same configuration and directory structure. The development
> machine is running PHP 4.2.3 and the server machine 4.1.2 (debian
> backports 4.2.3-9 & 4.1.2-6 actually); the only difference between their
> configurations is the error handling.
> I have a pretty conservative php.ini, figuring it's probably easier to
> never rely on register_globals etc from the start than to have to
> convert scripts later to run on some ISP's virtual host server. I
> incorporated most of the changes from php.ini-recommended (which came
> with the debian source package) & now I'm trying to isolate each of the
> vhosts as much as I can while sticking with mod_php. I plan to implement
> disk quotas so if one vhost goes haywire and starts a logging frenzy, it
> probably won't bring the whole machine down. For this I'm setting each
> VirtualHost's open_basedir option to its own directory, turning on safe
> mode, and moving PHP's error_log to a vhost-specific 'log' directory
> It's mostly moving to safe mode that I'm having trouble with...
> 1. What is the recommended permission/ownership combination for allowing
> uploads/disk writes under safe mode?
> I'm having a problem with letting scripts create directories
> recursively. My Apache runs as www-data:www-data, so the script itself
> is owned by anybody but that. (on my development box, it's me, on the
> "live" machine it's root).
I'd hesitate having anything owned by root. Although there is no immeditatly
apparent issues, UNIX security falls apart when it sees a UID of 0. I
generally have Apache run as another user (www-data in your case) then set
the scripts owned by another user and apache's group, with g+r so that apache
can read them.
> I've been playing around with some RSS/RDF
> stuff, and I want to cache the pages like this,
> http://www.theregister.co.uk/tonys/slashdot.rdf becomes
> The $cache_root is the directory called 'cache' in , below. I've
> tried different combinations of ownership & permissions, and I can allow
> www-data to write to a directory, but not to write to a directory that
> he creates within that directory. For some reason, relaxing
> "safe_mode_gid = On" and `chown -R kenneth:www-data cache; chmod g+s
> cache` doesn't work...
Although I'm not 100%, safe_mode_gid may only examine the user's primary
group (not the additional groups listed in id username for example).
Although be careful with the +s bit as some strange behavior can occur (see
man 1 chmod and man 2 chmod).
> 2. With error reporting set to E_ALL on the dev machine, I keep getting
> "Warning: open_basedir restriction in effect. File is in wrong directory
> in /var/www/kuboaa.org/dev/htdocs/portal.php on line 9" even though
> open_basedir is set to "/var/www/kuboaa.org/dev/" and the file i'm
> including lives in "/var/www/kuboaa.org/dev/lib". Since it does in fact
> successfully include the file, I'm guessing this is normal
> extra-verbosity of E_ALL? (i don't think that setting's gonna last long..)
Odd behavior... be aware of what context PHP directives can be set in (system
wide, directory wide, etc:
http://www.php.net/manual/en/configuration.changes.php). I've run into
trouble with getting these all right.
> 3. Can I change who PHP logs as when log_errors is On?
I don't believe so... not without something like suEXEC for Apache.
> I'm kind of surprised that writing to error_log doesn't seem to be done
> by the same user as Apache's logging (root). In order to get logging to
> work so far, I've just manually touched the file & made it
> world-writable, which I guess is as safe as allowing uploads, etc, but I
> want to make sure that's the right way to do it before adjusting
> logrotate to maintain those permissions.
> I hadn't thought of this until I saw Jerry's message from today. In my
> case, session.save_path defaults to /tmp, which is on its own partition,
> so I think the machine itself is pretty much protected from being taken
> down(?), though I guess all the websites using sessions could be
> effectively stopped. I considered moving session.save_path to the (to
> be) vhost-quotaed directory to at least keep a DoS'ed site from
> effecting the others, until I read "If session.save_path's path depth is
> more than 2, garbage collection will not be performed." on the manual's
> ref.session.php page.. anyway, I too would be interested in more about this
> Any comments are welcome,
> sorry for such a long message...
>  This is the PHP-relevent sections of my VirtualHost directive block
> on the development box..
> <VirtualHost *>
> ServerName local.kuboaa.org
> DocumentRoot /var/www/kuboaa.org/dev/htdocs
> <IfModule mod_php4.c>
> php_value include_path ".:/usr/share/pear:/var/www/kuboaa.org/dev/lib"
> # safe_mode_include_dir = "/usr/share/pear" in httpd.conf
> php_admin_flag safe_mode on
> php_admin_flag safe_mode_gid on
> <Location />
> php_admin_value open_basedir "/var/www/kuboaa.org/dev/"
> php_value error_log "/var/www/kuboaa.org/dev/log/phperrors.log"
> php_value upload_tmp_dir "/var/www/kuboaa.org/dev/tmp"
I've found it's better to use <Directory directives whereever possible.
>  sample VirtualHost directory structure on development machine...
> root at enlil:/var/www/kuboaa.org# ls -l dev
> total 24
> drwxr-xr-x 2 kenneth kenneth 4096 Jan 30 11:17 CVS
> drwxrwxr-x 3 kenneth www-data 4096 Jan 30 14:05 cache
> drwxr-xr-x 5 kenneth kenneth 4096 Feb 2 14:08 htdocs
> drwxr-xr-x 2 kenneth kenneth 4096 Feb 2 11:48 htpasswd
> drwxr-xr-x 3 kenneth kenneth 4096 Jan 30 15:10 lib
> drwxr-xr-x 2 kenneth kenneth 4096 Feb 2 14:09 log
> drwx------ 2 www-data www-data 4096 Feb 2 16:34 tmp
> root at enlil:/var/www/kuboaa.org# ls -l dev/log
> total 40
> -rw-r--r-- 1 root root 29903 Feb 2 14:09 access.log
> -rw-r--r-- 1 root root 2228 Feb 2 14:09 error.log
> -rw-r--r-- 1 root root 0 Feb 2 14:06 nimda.log
> -rw-r--rw- 1 root root 136 Feb 2 14:09 phperrors.log
More information about the talk