ID: 37759 Updated by: [EMAIL PROTECTED] Reported By: christian dot schaffer at muenchen dot de Status: Bogus Bug Type: OCI8 related Operating System: Solaris 10 PHP Version: 5.1.4 New Comment:
>1) Join apache user to oinstall group I think this is the best solution. At least, it's much better than changing ORACLE_HOME to be world-readable from security point of view. I'd also suggest you to use Oracle Instant Client, which doesn't require ORACLE_HOME at all. Previous Comments: ------------------------------------------------------------------------ [2006-08-09 12:55:10] christian dot schaffer at muenchen dot de Oracle usually provides binaries for a choice of operating systems. The versions may differ in some aspects. Therefore, the following is applicable for Oracle Client 10.2.x on Solaris 10 (x64) only: In 10.2.x, the directories below $ORACLE_HOME were not world readable any more. Users other than root or the oracle owner are not able to change into directories below $ORACLE_HOME, including the apache user "nobody". [oracle/lib] # ll Gesamt 298260 drwxr-x--- 3 oracle oinstall 2560 Aug 3 11:09 . drwxr-x--- 35 oracle oinstall 1024 Aug 3 11:09 .. Hence, building PHP 5.1.4 with oci8 support as root succeeded, because root is able to read into $ORACLE_HOME/lib during compile. On the contrary, using oci8 functionality as nobody was not possible, because "nobody" is not allowed to read into the libs residing in e.g. $ORACLE_HOME/lib. There are various ways of working around this issue: 1) Join apache user to oinstall group This was discussed earlier in bug reports. I personally am not very fond of this workaround, though there probably won´t be a high security risc. 2) Change directory permissions manually This was proposed by Oracle Support. I actually don´t like this idea too much either, because I don´t tend to mess with installations of closed source software. Someone certainly had reasons to do it the way it is done. Furthermore, no one was able to tell me, which directories to change permissoins of. 3) Apply patch delivered by Oracle This is the solution, I like the most. Obviously, the problem occurred on other platforms already, because there are patches available. Unfortunately, for the Solaris 10 (x64) version, there is no patch available yet. Therefore, Oracle filed a One Off Backport request for me. The patch is under development at the moment. To get my system runnig, I went back to Oracle Client 10.1.0.3. In this version, the directory permissions are set as follows: [oracle/lib] # ll Gesamt 298260 drwxr-xr-x 3 oracle oinstall 2560 Aug 3 11:09 . drwxr-xr-x 35 oracle oinstall 1024 Aug 3 11:09 .. Here, "nobody" is able to read into the $ORACLE_HOME/lib. PHP´s OCI8 functionality is working as desired. ------------------------------------------------------------------------ [2006-08-09 11:35:20] [EMAIL PROTECTED] Could you elaborate plz? This part the most interesting: "the directory permissions are not appropriate for use with third-party software". ------------------------------------------------------------------------ [2006-08-09 11:02:29] christian dot schaffer at muenchen dot de Problem only relevant with Oracle Client 10.2.x, not e.g. with 10.1.x. Caused by Oracle's overall strategy to tighten up security, the directory permissions are not appropriate for use with third-party software. One-off patch for Solaris 10 (x64) is being developed. ------------------------------------------------------------------------ [2006-06-12 10:49:59] [EMAIL PROTECTED] The error message is pretty clear. Not PHP problem. ------------------------------------------------------------------------ [2006-06-09 08:06:15] christian dot schaffer at muenchen dot de Description: ------------ OCIEnvNlsCreate() failed. There is something wrong with your system - please check that ORACLE_HOME is set and points to the right directory in <file>.php Configure line is: #!/bin/sh # /localdata/build/php/php-5.1.4/configure \ --enable-bcmath \ --enable-calendar \ --enable-ctype \ --enable-dbase \ --enable-discard-path \ --enable-exif \ --enable-filepro \ --enable-force-cgi-redirect \ --enable-ftp \ --enable-gd-native-ttf \ --enable-magic-quotes \ --enable-mbstring \ --enable-memory-limit \ --enable-safe-mode \ --enable-shmop \ --enable-sigchild \ --enable-sysvsem \ --enable-sysvshm \ --enable-versioning \ --enable-wddx \ --with-bz2 \ --with-dom \ --with-libxml-dir=/opt/csw \ --with-gettext=/opt/csw \ --with-jpeg-dir=/opt/csw \ --with-ldap=/opt/csw \ --with-mysql=/opt/csw/mysql5 \ --with-ndbm \ --with-pgsql=/opt/csw/postgresql \ --with-png-dir=/opt/csw \ --with-iconv=/opt/csw \ --with-tiff-dir=/opt/csw \ --with-ttf=/opt/csw \ --with-freetype-dir=/opt/csw \ --with-xpm-dir=/opt/csw \ --with-zlib=/opt/csw \ --with-gd=/opt/csw \ --with-oci8=/opt/oracle \ --with-apxs2=/opt/csw/apache2/sbin/apxs System applies Oracle Client 10.2.0.1.0 Reproduce code: --------------- $co = OciLogon(user,pass,sid); Expected result: ---------------- Oracle connection establishes Actual result: -------------- Warning: ocilogon() [function.ocilogon]: OCIEnvNlsCreate() failed. There is something wrong with your system - please check that ORACLE_HOME is set and points to the right directory in /data/www/htdocs/const.php on line 120 ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=37759&edit=1
