OpenVISP

User Tools

Site Tools

You are here: OpenVISP » mod_vhs » php
Trace: php
mod_vhs:php

Table of Contents

mod_vhs PHP Configuration

Note that PHP configuration is enabled uppon compilation. You will have to enable HAVE_MOD_PHP_SUPPORT in Makefile , uses zend_alter_ini_entry() to change on the fly parameters like you can do with php.ini entry.

mod_vhs php configuration directives

There is several directives (see README file for more) :

  • vhs_PHPsafe_mode
  • vhs_PHPopen_basedir with
    • vhs_open_basedir_path
    • vhs_append_open_basedir
  • vhs_PHPdisplay_errors

and

  • vhs_PHPopt_fromdb

How are evaluated php configuration directives ?

They are evaluated in this order (if they are enabled) :

  1. vhs_PHPsafe_mode
  2. vhs_PHPopen_basedir (and also vhs_open_basedir_path / vhs_append_open_basedir)
  3. vhs_PHPdisplay_errors
  4. vhs_PHPopt_fromdb

You have to know this order of evaluation if you don't have brain damage when you use vhs_PHPopt_fromdb and security problems that you can have because of this order of evaluation.

Why there can be a security problem ?

vhs_PHPopt_fromdb is evaluated at the end of PHP autoconfiguration. If you set : 

 
vhs_PHPsafe_mode On

And in the field used by vhs_PHPopt_fromdb : safe_mode=Off;

Then the configuration of PHP will be safe_mode=Off.

vhs_PHPopt_fromdb will ALLWAY HAVE THE LAST WORD_ in terms of PHP configuration.

This is NOT a bug, but a feature. So you need to be 100% sure the php autoconfiguration from DB will be set to people you trust in terms of security.

vhs_PHPopt_fromdb format

mod_vhs will take his parameters from libhome or mod_ldap/mod_dbd backend using passwd field.

The format is : 

<parameter>=<value>;<parameter>=<value>;

With :

* <parameter> = php.ini parameter (like safe_mode for example) * <value> = php.ini value of this parameter (On for example)

WARNINGS :

  1. you MUST NOT add space or forgot a ”;” at the end of ligne CR / LF are passed as is to PHP. So double check the entries in database.
  2. If you don't have anything in you “passwd” entry libhome will not return anything from DB because this can be a null password. So add an default string when php options are not used (like for example “*”).
  3. If parameter is boolean (eg On / Off) you have to write in DB using 1 / 0 instead eg :
On  = 1
Off = 0

IMPORTANT NOTE

Since mod_vhs use Zend functions to change the php ini values, you NEED to load mod_php before mod_vhs otherwise errors like : 

Syntax error on line 269 of /etc/apache/httpd.conf:
Cannot load /usr/libexec/apache/mod_vhs.so into server: /usr/libexec/apache/mod_vhs.so: undefined symbol: zend_alter_ini_entry

Conclusion

vhs_PHPopt_fromdb can only configure php.ini values like foo=value, but it cannot configure specific section of php.ini (eg [mysql] for example). So you'll have to keep that in mind when designing your system.

mod_vhs/php.txt · Last modified: 2009/05/24 14:20 by kiwi

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Noncommercial-Share Alike 3.0 Unported
CC Attribution-Noncommercial-Share Alike 3.0 Unported Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki