[php-maint] Bug#674091: Bug#674091: php5: support configuration sets

Ondřej Surý ondrej at debian.org
Wed May 23 10:21:31 UTC 2012 

forcemerge 505743 674091
thank you

/etc/php5/[SAPI]/conf.d is already used, so I don't really understand,
what do you really propose? Have you checked the actual configuration
before filling this bug?

# php5 --ini
Configuration File (php.ini) Path: /etc/php5/cli
Loaded Configuration File:         /etc/php5/cli/php.ini
Scan for additional .ini files in: /etc/php5/cli/conf.d
Additional .ini files parsed:      /etc/php5/cli/conf.d/10-pdo.ini

/etc/php5/[SAPI]/conf.d/ is really a symlink to ../conf.d/, but that
can be easily changed by local administrator.

We will ship wheezy with just this enhancement (php5{en,dis}mod), and
re-think if we can make the SAPIxEXT matrix easy enough to handle.

And you are of course free to create whatever messy config directory
structure you like.

O.
P.S.: Ignoring the 'oh-PHP-is-so-insecure' rant...

On Wed, May 23, 2012 at 3:26 AM, Christoph Anton Mitterer
<calestyo at scientia.net> wrote:
> Package: php5
> Severity: wishlist
>
>
> Hi.
>
> This is basically regardless of the choosen SAPI, although it may
> make the most sense with CGI.
>
> Given that PHP is so inherently insecure, it's reasonable to tighten
> the PHP configuration for each PHP program (e.g. forum, davical, etc.)
> as far as possible.
> On should also choose to execute each PHP program under a different
> user, which is why the apache php module and FastCGI are really
> horrible from a security point of view.
>
> Nevertheless....
>
> 1) Given that you've introduced /etc/php5/mods-available
> I'd like to propose the following changes/definitions:
> - /etc/php5/[SAPI]/
>  contains _GLOBAL_ configuration for the respective SAPI
>  which is (directly, in the sense of the file pathname) read by php.
>  most notably, of course, the respective php.ini
>
> - /etc/php5/mods-available
>  contains config snippets from modules
>  which are NOT (directly) read by php.
>
> - /etc/php5/conf.d
>  should be dropped and moved to /etc/php5/[SAPI]/conf.d
>
> That has the advantage that all config is in one tree.
> If no modifications are required for a given SAPI, on can simply
> symlink to the respective files in mods-available.
>
>
> Now php may be used in many places, not just webservers... and even if
> used in a webserver... there may be differen PHP configuration for
> different URI spaces (even in the same vhost).
>
> Therefore, while the above /etc/php5/[SAPI]/ contains all default configs/modules:
> - /etc/php5/custom/ should be a tree where the user is allowed to add any
> non default configuration used anywhere.
> I have for example something like:
> ├── custom
> │   └── www
> │       └── virtual-hosts
> │           └── example.org
> │               ├── forum
> │               │   ├── cgi
> │               │   │   ├── php.local.ini -> ../php.local.ini
> │               │   │   ├── suhosin.ini -> ../suhosin.ini
> │               │   │   └── suhosin.local.ini -> ../suhosin.local.ini
> │               │   ├── php.local.ini
> │               │   ├── suhosin.ini -> /etc/php5/conf.d/suhosin.ini
> │               │   └── suhosin.local.ini
> │               └── calendars
> │                   ├── cgi
> │                   │   ├── pdo.ini -> ../pdo.ini
> │                   │   ├── pdo_pgsql.ini -> ../pdo_pgsql.ini
> │                   │   ├── pgsql.ini -> ../pgsql.ini
> │                   │   ├── php.local.ini -> ../php.local.ini
> │                   │   ├── suhosin.ini -> ../suhosin.ini
> │                   │   └── suhosin.local.ini -> ../suhosin.local.ini
> │                   ├── pdo.ini -> /etc/php5/conf.d/pdo.ini
> │                   ├── pdo_pgsql.ini -> /etc/php5/conf.d/pdo_pgsql.ini
> │                   ├── pgsql.ini -> /etc/php5/conf.d/pgsql.ini
> │                   ├── php.local.ini
> │                   ├── suhosin.ini -> /etc/php5/conf.d/suhosin.ini
> │                   └── suhosin.local.ini
>
>
> with different php.inis and differen module configs for differen paths.
>
>
> As I noted in a recent bug, the PHP_INI_SCAN_DIR which you set per default
> now to /etc/php5/conf.d can be used to point to these directories
> where custom configuration can be applied.
> If the user resets PHP_INI_SCAN_DIR that default (/etc/php5/conf.d)
> will no longer be read...
>
>
> Cheers,
> Chris.
>
>
>
>
>
>
>
>
> -- System Information:
> Debian Release: wheezy/sid
>  APT prefers unstable
>  APT policy: (500, 'unstable')
> Architecture: amd64 (x86_64)
>
> Kernel: Linux 3.2.17-heisenberg (SMP w/2 CPU cores; PREEMPT)
> Locale: LANG=en_DE.UTF-8, LC_CTYPE=en_DE.UTF-8 (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/dash
>
>
>
> _______________________________________________
> pkg-php-maint mailing list
> pkg-php-maint at lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-php-maint



-- 
Ondřej Surý <ondrej at sury.org>

More information about the pkg-php-maint mailing list