Package: php5 Severity: wishlist
Hi. This is basically regardless of the choosen SAPI, although it may make the most sense with CGI. Given that PHP is so inherently insecure, it's reasonable to tighten the PHP configuration for each PHP program (e.g. forum, davical, etc.) as far as possible. On should also choose to execute each PHP program under a different user, which is why the apache php module and FastCGI are really horrible from a security point of view. Nevertheless.... 1) Given that you've introduced /etc/php5/mods-available I'd like to propose the following changes/definitions: - /etc/php5/[SAPI]/ contains _GLOBAL_ configuration for the respective SAPI which is (directly, in the sense of the file pathname) read by php. most notably, of course, the respective php.ini - /etc/php5/mods-available contains config snippets from modules which are NOT (directly) read by php. - /etc/php5/conf.d should be dropped and moved to /etc/php5/[SAPI]/conf.d That has the advantage that all config is in one tree. If no modifications are required for a given SAPI, on can simply symlink to the respective files in mods-available. Now php may be used in many places, not just webservers... and even if used in a webserver... there may be differen PHP configuration for different URI spaces (even in the same vhost). Therefore, while the above /etc/php5/[SAPI]/ contains all default configs/modules: - /etc/php5/custom/ should be a tree where the user is allowed to add any non default configuration used anywhere. I have for example something like: ├── custom │ └── www │ └── virtual-hosts │ └── example.org │ ├── forum │ │ ├── cgi │ │ │ ├── php.local.ini -> ../php.local.ini │ │ │ ├── suhosin.ini -> ../suhosin.ini │ │ │ └── suhosin.local.ini -> ../suhosin.local.ini │ │ ├── php.local.ini │ │ ├── suhosin.ini -> /etc/php5/conf.d/suhosin.ini │ │ └── suhosin.local.ini │ └── calendars │ ├── cgi │ │ ├── pdo.ini -> ../pdo.ini │ │ ├── pdo_pgsql.ini -> ../pdo_pgsql.ini │ │ ├── pgsql.ini -> ../pgsql.ini │ │ ├── php.local.ini -> ../php.local.ini │ │ ├── suhosin.ini -> ../suhosin.ini │ │ └── suhosin.local.ini -> ../suhosin.local.ini │ ├── pdo.ini -> /etc/php5/conf.d/pdo.ini │ ├── pdo_pgsql.ini -> /etc/php5/conf.d/pdo_pgsql.ini │ ├── pgsql.ini -> /etc/php5/conf.d/pgsql.ini │ ├── php.local.ini │ ├── suhosin.ini -> /etc/php5/conf.d/suhosin.ini │ └── suhosin.local.ini with different php.inis and differen module configs for differen paths. As I noted in a recent bug, the PHP_INI_SCAN_DIR which you set per default now to /etc/php5/conf.d can be used to point to these directories where custom configuration can be applied. If the user resets PHP_INI_SCAN_DIR that default (/etc/php5/conf.d) will no longer be read... Cheers, Chris. -- System Information: Debian Release: wheezy/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 3.2.17-heisenberg (SMP w/2 CPU cores; PREEMPT) Locale: LANG=en_DE.UTF-8, LC_CTYPE=en_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
