[PHP] Weird open_basedir behaviour

2003-11-21 Thread Tim Garton 
I'm not sure if I have something misconfigured with this one or what, 
but I keep having odd open_basedir problems with my webserver.  i'm 
running apache 2.0.48 with php 4.3.4.  i have a number of virtual hosts, 
the following being an excerpt from the apache config:

 

ServerName www.hightechhigh.org 

ServerAlias hightechhigh.org www 

#php_admin_value open_basedir /www/htdocs:/tmp 

 





 

ServerName plato.hightechhigh.org 

ServerAlias plato plato.ntc.hightechhigh.org 

DocumentRoot /www/platohtdocs 

ErrorLog logs/plato-error_log 

CustomLog logs/plato-access_log combined 

#php_admin_value display_errors On 



 




ServerName staff.hightechhigh.org
ServerAlias staff
DocumentRoot /www/platohtdocs
ErrorLog logs/plato-error_log
CustomLog logs/plato-access_log combined
UserDir /home/staff/*
php_admin_value open_basedir .:/tmp


ServerName students.hightechhigh.org
ServerAlias students
DocumentRoot /www/platohtdocs
ErrorLog logs/plato-error_log
CustomLog logs/plato-access_log combined
UserDir /home/students/*
php_admin_value open_basedir .:/tmp
#php_admin_value display_errors On

...
periodically when i hit one of the pages on the main site, i get a blank 
page, and the following shows up in the error log:

# tail error_log
[client 172.16.10.14] PHP Warning:  main(): open_basedir restriction in 
effect. File(/www/htdocs/common/template.php) is not within the allowed 
path(s): (.:/tmp) in /www/htdocs/schoolinfo/calendar.php on line 2

[client 172.16.10.14] PHP Warning: 
main(/www/htdocs/common/template.php): failed to open stream: Operation 
not permitted in /www/htdocs/schoolinfo/calendar.php on line 2

[client 172.16.10.14] PHP Fatal error:  main(): Failed opening required 
'/www/htdocs/common/template.php' 
(include_path='.:/usr/local/apache2/php/lib/php') in 
/www/htdocs/schoolinfo/calendar.php on line 2

When this happens, I can hit reload and tha page will pop up fine.

I have open_basedir commented out in the php.ini file.  it seems like 
php is picking up the open_basedir value from one virtual host and 
applying it to a different virtual host, some of the time.  any help 
would be appreciated.  if this is a bug, is it in php or apache, and if 
php how do i submit a bug report?  if it matters, this is running on a 
dual pentium 3 machine with linux 2.4.21, apache and php compiled from 
source, with the following commands:

./configure --with-ldap --enable-ldap --enable-auth-ldap --enable-so 
--enable-ssl

./configure --prefix=/usr/local/apache2/php 
--with-apxs2=/usr/local/apache2/bin/apxs 
--with-config-file-path=/usr/local/apache2/php 
--with-mysql=/usr/local/mysql --with-ldap

tim

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] looking for some software (helpdesk, intranet)

2003-11-21 Thread Tim Garton 
RT can be difficult to install, and uses perl rather than php, just fyi. 
 if you do decide to go with it, when i set it up on a redhat 9 box i 
had to reinstall perl from source due to a bug in the stock perl shipped 
with rh 9.

tim

Gabriel Guzman wrote:
On Friday 21 November 2003 04:01 pm, Richard Baskett wrote:

on 11/21/03 15:49, Chris W. Parker at [EMAIL PROTECTED] wrote:

I'm looking for some helpdesk software and some intranet software with a
MySQL backend.


RT...   http://bestpractical.com/

gabe. 
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] Re: Running PHP for different virtual domains on different Apaches

2003-11-22 Thread Tim Garton 
Philip Mak wrote:

Something that I wrote recently that I thought may be of general
interest for system administrators running PHP:
The web server runs on port 80, with the priviledges of the username
"apache". On most webhosts that support PHP, this web server executes
the PHP scripts. The PHP scripts would thus all run under the same
username.
Problem #1 is that a single web server generally services multiple
websites. Under the common setup, all of their PHP scripts will run
under the common "apache" username. This is a security flaw, because a
programmer for a website would be able to read the PHP scripts of any
other website, and probably also gain access to any databases or files
that those scripts make use of. Most webhosts probably get away with
this since one can only exploit this if they have an account on the
server, can only attack other websites on the server, and most people
aren't skilled/devious enough to do this.
check out php_admin_value open_basedir, should solve this.  allows you 
to specify what directory's a php script can read from.

Problem #2 is that the use of PHP makes each Apache process consume
more memory. The process consumes more memory even when it is serving
static (non-PHP) files such as a JPG. It would be more efficient to
have a pool of small processes serving static files, and some larger
processes serving the PHP scripts.
can't think of any other way to solve this problem than what you've done.

So on my server, the main web server on port 80 does not run PHP.
Rather, the client has a private PHP-enabled Apache that listens on
localhost port 8024. This private Apache runs under the priviledges of
the client's UNIX account, and only serves pages from the client's
domain.  Whenever the main Apache receives a request that requires PHP
to service(*), it will proxy the request to the PHP-enabled Apache.
This solves problems #1 and #2 above.
However, (*) is a bit problematic. Consider the following URLs:

(a) http://www.domain.org/page.php
(b) http://www.domain.org/page.html
(c) http://www.domain.org/image.jpg
(d) http://www.domain.org/
(a) should obviously be proxied, since it ends in .php and thus must
be a PHP script. (b) and (c) have obvious static file extensions, so
should not be proxied. But what about (d)? It could be either
index.php or index.html, but this can't be determined just from
pattern matching on the URL.
I came up with a recipe in httpd.conf to account for case (d): In the
case of a request to a directory, it will proxy if and only if
index.php exists.
RewriteEngine On
# Proxy any request to *.php
RewriteRule (.*)\.php$ http://127.0.0.1:8024$1.php [l,p]
# Proxy any request to a directory if index.php exists
RewriteCond %{REQUEST_URI} /$
RewriteCond %{DOCUMENT_ROOT}%{REQUEST_FILENAME}index.php -f
RewriteRule (.*) http://127.0.0.1:8024$1 [l,p]
where http://127.0.0.1:8024 is the address to the backend PHP.

%{DOCUMENT_ROOT} could be replaced with another directory path, if the
PHP scripts are kept in a separate directory tree. Note that the
RewriteCond -f means that the "apache" user will need to be able to
list the files in the directory (but does not need read access to the
files themselves). If more security is needed, the PHP files could be
kept in a separate tree (configured as the DocumentRoot on the private
Apache), and:
RewriteCond %{DOCUMENT_ROOT}%{REQUEST_FILENAME}index.php -f

could be replaced with a directive that determines whether the
frontend Apache can handle the indexing for the directory (e.g. if
index.html exists, or index.shtml, etc.), and not proxy if that is the
case, and proxy otherwise.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php