[Typo3-debian] Suggestion: safe_mode and open_basedir support in TYPO3 Debian package

Lars E. D. Jensen | DCmedia ledj-typo3 at dcmedia.biz
Sun Jun 6 16:09:59 CEST 2004 

Hi all

I think it would be a good idea to enable support for safe_mode and 
open_basedir in the forthcoming TYPO3 Debian package. Or at least in a 
later package.

I've enabled safe_mode and open_basedir for a TYPO3 3.6.1 installation, 
mainly after instructions found at 
http://typo3.org/documentation/document-library/doc_inst_upgr/Introduction-4be688999e/
But I also needed to add some twists to e.g. have sendmail and shared 
source working properly.

Things I needed to change in order for things to work completely (apart 
from the documented instructions shown with the link above):

1. First I set these values in an Apache virtual host:

---vhost start---
php_admin_value safe_mode 1

php_admin_value safe_mode_gid 1

php_admin_value safe_mode_exec_dir "/var/www/dangvard/exec/"

php_admin_value safe_mode_include_dir 
"/var/www/dangvard/:/var/lib/typo3/typo3_src-3.6.1/"

php_admin_value open_basedir 
"/var/www/dangvard/:/var/lib/typo3/typo3_src-3.6.1/"

php_admin_value sendmail_path "/var/www/dangvard/exec/sendmail -t -i"

---vhost end---

- But notice trailing slashes in open_basedir setting, read PHP 
documentation for explanation.
- Notice too, the manipulated sendmail_path, and the 2 paths in 
open_basedir.

2. In order to have shared source working I needed to change group to 
www-data for the shared source, this works in conjunction with the 
setting "php_admin_value safe_mode_gid 1" in vhost settings.
So source has now owner root and group www-data, while it's also 
completely write protected.

3. For now I have the following symlinks in my exec folder:
lrwxrwxrwx    1 root     root           18 Jun  5 08:19 composite -> 
/usr/bin/composite
lrwxrwxrwx    1 root     root           16 Jun  5 08:19 convert -> 
/usr/bin/convert
lrwxrwxrwx    1 root     root           13 Jun  5 08:19 diff -> 
/usr/bin/diff
lrwxrwxrwx    1 root     root           17 Jun  5 08:19 identify -> 
/usr/bin/identify
lrwxrwxrwx    1 root     root           16 Jun  5 08:19 pdfinfo -> 
/usr/bin/pdfinfo
lrwxrwxrwx    1 root     root           18 Jun  5 08:19 pdftotext -> 
/usr/bin/pdftotext
lrwxrwxrwx    1 root     root           18 Jun  5 08:23 sendmail -> 
/usr/sbin/sendmail
lrwxrwxrwx    1 root     root            8 Jun  5 08:19 tar -> /bin/tar
lrwxrwxrwx    1 root     root           14 Jun  5 08:19 unzip -> 
/usr/bin/unzip

Notice that all is owned by root, the exec folder could contain _every_ 
possible symlinks to standard linked executables used in TYPO3 outside 
open_basedir, e.g. HTMLdoc and tidy executables which isn't included here.
See 
http://typo3.org/documentation/document-library/doc_inst_upgr/Experiences/ 
for further explanation...

If one doesn't use Apache virtual hosts, the settings in 1. can be 
entered directly in php.ini. However this solution allows different 
versions of TYPO3 running in each vhost.


/Lars

More information about the TYPO3-debian mailing list