1663
Comment:
|
2523
|
Deletions are marked like this. | Additions are marked like this. |
Line 6: | Line 6: |
We use Suexec and CGI for running PHP scripts rather than mod_php. This provides a more secure environment but means that downloaded PHP applications may not work out of the box. | We use Suexec and CGI for running PHP scripts rather than `mod_php`. This provides a more secure environment but means that downloaded PHP applications may not work out of the box, because most people designing PHP scripts assume that `mod_php` will be used. However, we view this as an excellent security precaution, as it means that you can't just download a PHP app and install it and let it run without having to think about how to make it run! |
Line 8: | Line 10: |
This means that all PHP scripts must start with the line "#!/usr/bin/php" and be executable. | The most obvious consequence is that all PHP scripts must start with the line "#!/usr/bin/php" and be executable. |
Line 16: | Line 18: |
$ ld -lad /homes/help/public_html | $ ls -lad /homes/help/public_html |
Line 33: | Line 35: |
* The script is only writable by the owner of the file. If other users can write to the file then SuExec will refuse to execute it. The only exception are group project directories which can be group writable. To ensure that this is the case run {{{ chmod ga-w <filename> (chmod a-w <filename> for group directories}}} |
* The script is only writable by the owner of the file. If other users can write to the file then SuExec will refuse to execute it. The only exception are group project directories which can be group writable. To ensure that this is the case run {{{ chmod ga-w <filename> (chmod a-w <filename> for group directories}}} |
Line 39: | Line 39: |
If you do get an error with a script check the log in /vol/wwwhomeslogs/server-suexec_log | * If you get an "Internal Server Error" with a script check the log in /vol/wwwhomeslogs/server-suexec_log == Group project areas == A few things to note about permissions if you are running scripts from a group project areas (ie. somewhere in /vol/project/...). * everything should be group readable, writable, and executable (if necessary). {{{ chmod g+rwx <filename> }}} * all new directories created should have chmod g+s done on them to cause newly created files and directories inside them to inherit the parent directory group (eg. g0436204B) rather than using the creating user's primary group (eg. jmc3). {{{ chmod g+s <directory> }}} |
Using PHP
The version of PHP installed on the webserver and lab machines is 5.2.3. Most common PHP libraries should already be installed. If there is one you need that isn't installed and you can find it in the standard Ubuntu repositories let us know and we can install it for you.
We use Suexec and CGI for running PHP scripts rather than mod_php. This provides a more secure environment but means that downloaded PHP applications may not work out of the box, because most people designing PHP scripts assume that mod_php will be used. However, we view this as an excellent security precaution, as it means that you can't just download a PHP app and install it and let it run without having to think about how to make it run!
The most obvious consequence is that all PHP scripts must start with the line "#!/usr/bin/php" and be executable.
Below is an example of a basic PHP script that resides in the root of a users public home directory:
$ pwd /homes/help/public_html $ ls -lad /homes/help/public_html drwxr-xr-x 20 help csg 8192 Feb 1 14:10 ./ $ ls -la test.cgi -rwx------ 1 help csg 44 Feb 1 13:45 test.cgi $ cat test.cgi #!/usr/bin/php <?php echo "hello world"; ?>
Key points to note:
The script is executable. To ensure a script is executable run chmod +x <filename>
The script is only writable by the owner of the file. If other users can write to the file then SuExec will refuse to execute it. The only exception are group project directories which can be group writable. To ensure that this is the case run chmod ga-w <filename> (chmod a-w <filename> for group directories
The file must be in "Unix format". If you created or edited the file on Windows run dos2unix <filename> to convert it to "Unix format".
- If you get an "Internal Server Error" with a script check the log in /vol/wwwhomeslogs/server-suexec_log
Group project areas
A few things to note about permissions if you are running scripts from a group project areas (ie. somewhere in /vol/project/...).
everything should be group readable, writable, and executable (if necessary). chmod g+rwx <filename>
all new directories created should have chmod g+s done on them to cause newly created files and directories inside them to inherit the parent directory group (eg. g0436204B) rather than using the creating user's primary group (eg. jmc3). chmod g+s <directory>