Re: Securing php: ezpublish
Jonas Smedegaard wrote: Why, you might ask, did I not simply drop it below /var/www as everybody else? Because my job as package maintainer is not only to "throw something into the system", but also maintain package upgrades. What ever I "throw in", I must also maintain. So what I did was to only provide "source" tarballs that you can throw around yourself, and then also have to maintain yourself. 15 megabytes of PHP code is not easy to upgrade sanely. If someone knows a clever way to do it (possible through Debian packages, so CVS and similar is not an option) please let me know. A local CVS or SVN repository seems to me a sane way of tracking what tweaks we do so we have some prospect of advancing to a future release. | The instructions say to configure php with safe_mode off. That doesn't | excite me very much: I know little about PHP, but it sounds to me like | "on" is better than "off." | | OTOH, "on" does cause problems. I want users to be able to upload stuff, | and that means that PHP needs to write somewhere. | | However, PHP, with safe_mode on, wants the directories PHP scripts | read/write have the same ownership as the scripts. atm the scripts are | owned by root and that's fine by me. | | What do the experts do? Esp those who use ezpublish. I am a hacker (I hack around in the code) and a professional (I make - somewhat - a living on setting up and hosting eZ sites), but not an expert (I took no classes to gain my knowledge). For my web hosting, I have websites and webphpsites. Websites are owned by the web designer and in her own group. Webphpsites are owned by the webdesigner but in the www-data group. a script scans all webphpsites and corrects wrong group rights (caused by ftp uploads or similar), and also changes the owner rights back to the webdesigner (files created through php is owned by www-data). It's clumsy, but works for me. Sounds moderately sane. Thanks for your reponse, Jonas. -- Cheers John -- spambait [EMAIL PROTECTED] [EMAIL PROTECTED] Tourist pics http://portgeographe.environmentaldisasters.cds.merseine.nu/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Securing php: ezpublish
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01-09-2004 05:44, John Summerfield wrote: | I'm setting up some CMS software I found at ez.no. There's a Debian | package, but it's old and non-trivial to set up, so I've downloaded the | tarball from ez.no. The Debian package in testing/unstable is an (almost) up-to-date package of eZ publish 2.2 series. eZ publish 3.x is a complete rewrite and should not be confused. I have no plans of packaging the other newer software by the same name (and especially not as an upgrade to the current package). The reason for my somewhat odd packaging style (nothing works after initial installation, instead everything is packaged as tarballs and a script unpacks those in a folder of your choosing and initializes a mysql database) is that unlike horde and other large PHP-based programs most files are intended for local tweaking, and only way of doing that sanely from a packaging point of view is to put everything below /etc. Why, you might ask, did I not simply drop it below /var/www as everybody else? Because my job as package maintainer is not only to "throw something into the system", but also maintain package upgrades. What ever I "throw in", I must also maintain. So what I did was to only provide "source" tarballs that you can throw around yourself, and then also have to maintain yourself. 15 megabytes of PHP code is not easy to upgrade sanely. If someone knows a clever way to do it (possible through Debian packages, so CVS and similar is not an option) please let me know. | The instructions say to configure php with safe_mode off. That doesn't | excite me very much: I know little about PHP, but it sounds to me like | "on" is better than "off." | | OTOH, "on" does cause problems. I want users to be able to upload stuff, | and that means that PHP needs to write somewhere. | | However, PHP, with safe_mode on, wants the directories PHP scripts | read/write have the same ownership as the scripts. atm the scripts are | owned by root and that's fine by me. | | What do the experts do? Esp those who use ezpublish. I am a hacker (I hack around in the code) and a professional (I make - somewhat - a living on setting up and hosting eZ sites), but not an expert (I took no classes to gain my knowledge). For my web hosting, I have websites and webphpsites. Websites are owned by the web designer and in her own group. Webphpsites are owned by the webdesigner but in the www-data group. a script scans all webphpsites and corrects wrong group rights (caused by ftp uploads or similar), and also changes the owner rights back to the webdesigner (files created through php is owned by www-data). It's clumsy, but works for me. | I've taken the liberty of bccing the maintainer, hoping Jonas will add | his wisdom to the list and not be too offended. That's ok. Thanks for the notice. ~ - Jonas - -- * Jonas Smedegaard - idealist og Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ ~ - Enden er nær: http://www.shibumi.org/eoti.htm -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.5 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFBNZgUn7DbMsAkQLgRAklwAJ9qoasBGgGx95QXKHWU61E3NfNZDQCePJtv 7bygDmfrADlpAamzkwODla4= =XeG0 -END PGP SIGNATURE-
Securing php: ezpublish
I'm setting up some CMS software I found at ez.no. There's a Debian package, but it's old and non-trivial to set up, so I've downloaded the tarball from ez.no. The instructions say to configure php with safe_mode off. That doesn't excite me very much: I know little about PHP, but it sounds to me like "on" is better than "off." OTOH, "on" does cause problems. I want users to be able to upload stuff, and that means that PHP needs to write somewhere. However, PHP, with safe_mode on, wants the directories PHP scripts read/write have the same ownership as the scripts. atm the scripts are owned by root and that's fine by me. What do the experts do? Esp those who use ezpublish. I've taken the liberty of bccing the maintainer, hoping Jonas will add his wisdom to the list and not be too offended. -- Cheers John -- spambait [EMAIL PROTECTED] [EMAIL PROTECTED] Tourist pics http://portgeographe.environmentaldisasters.cds.merseine.nu/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
eZpublish
Is there any Debian package for eZpublish? Thanks! Bye, Ales
