Re: Securing php: ezpublish

To: debian-user@lists.debian.org
Subject: Re: Securing php: ezpublish
From: Jonas Smedegaard <dr@jones.dk>
Date: Wed, 01 Sep 2004 11:36:20 +0200
Message-id: <[🔎] 41359814.8070007@jones.dk>
Reply-to: Jonas Smedegaard <jonas@jones.dk>, debian-user@lists.debian.org
In-reply-to: <4135459C.2060005@ComputerDatasafe.com.au>
References: <4135459C.2060005@ComputerDatasafe.com.au>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01-09-2004 05:44, John Summerfield wrote:
| I'm setting up some CMS software I found at ez.no. There's a Debian
| package, but it's old and non-trivial to set up, so I've downloaded the
| tarball from ez.no.

The Debian package in testing/unstable is an (almost) up-to-date package
of eZ publish 2.2 series. eZ publish 3.x is a complete rewrite and
should not be confused. I have no plans of packaging the other newer
software by the same name (and especially not as an upgrade to the
current package).

The reason for my somewhat odd packaging style (nothing works after
initial installation, instead everything is packaged as tarballs and a
script unpacks those in a folder of your choosing and initializes a
mysql database) is that unlike horde and other large PHP-based programs
most files are intended for local tweaking, and only way of doing that
sanely from a packaging point of view is to put everything below /etc.

Why, you might ask, did I not simply drop it below /var/www as everybody
else? Because my job as package maintainer is not only to "throw
something into the system", but also maintain package upgrades. What
ever I "throw in", I must also maintain. So what I did was to only
provide "source" tarballs that you can throw around yourself, and then
also have to maintain yourself. 15 megabytes of PHP code is not easy to
upgrade sanely. If someone knows a clever way to do it (possible through
Debian packages, so CVS and similar is not an option) please let me know.



| The instructions say to configure php with safe_mode off. That doesn't
| excite me very much: I know little about PHP, but it sounds to me like
| "on" is better than "off."
|
| OTOH, "on" does cause problems. I want users to be able to upload stuff,
| and that means that PHP needs to write somewhere.
|
| However, PHP, with safe_mode on, wants the directories PHP scripts
| read/write have the same ownership as the scripts. atm the scripts are
| owned by root and that's fine by me.
|
| What do the experts do? Esp those who use ezpublish.

I am a hacker (I hack around in the code) and a professional (I make -
somewhat - a living on setting up and hosting eZ sites), but not an
expert (I took no classes to gain my knowledge).

For my web hosting, I have websites and webphpsites. Websites are owned
by the web designer and in her own group. Webphpsites are owned by the
webdesigner but in the www-data group. a script scans all webphpsites
and corrects wrong group rights (caused by ftp uploads or similar), and
also changes the owner rights back to the webdesigner (files created
through php is owned by www-data).

It's clumsy, but works for me.


| I've taken the liberty of bccing the maintainer, hoping Jonas will add
| his wisdom to the list and not be too offended.

That's ok. Thanks for the notice.


~ - Jonas

- --
* Jonas Smedegaard - idealist og Internet-arkitekt
* Tlf.: +45 40843136  Website: http://dr.jones.dk/

~ - Enden er nær: http://www.shibumi.org/eoti.htm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFBNZgUn7DbMsAkQLgRAklwAJ9qoasBGgGx95QXKHWU61E3NfNZDQCePJtv
7bygDmfrADlpAamzkwODla4=
=XeG0
-----END PGP SIGNATURE-----

Reply to:

Follow-Ups:
- Re: Securing php: ezpublish
  - From: John Summerfield <debian@ComputerDatasafe.com.au>

Prev by Date: Re: First general purpose unmoderated newsgroup for Debian
Next by Date: Re: snmpd.conf not available...?
Previous by thread: Re: snmpd.conf not available...?
Next by thread: Re: Securing php: ezpublish
Index(es):
- Date
- Thread