[TYPO3-linux] Provider security changes

Dimitri Tarassenko mitka at mitka.us
Fri Mar 17 16:30:23 CET 2006 

Jörg

On 3/17/06, Jörg Schaller <jorgo at jorgo.org> wrote:
> Hello all,
>
> I've received the following communication from my provider and I'd
> like to know if Typo3 will still correctly work with the below
> changes. Thanks for your answer!

Yes, it would, however you'll need to a couple of things to make it happen.

a-1) first of all, you better have shell access to this server. If you
don't, things are much more complicated.

a) if you did use php_value settings for, say, raising  the memory
limit or altering the globals registration order (uncommented  these
parameters in .htaccess shippied with the TYPO3 Dummy site), you need
to follow their directions on moving these options to php.ini. Note
that php.ini probably uses a different syntax, i.e.

php_value blahblah 123

becomes

blahblah = 123

b) you'll need to change ownership of all files in your installation
owned by Apache process (httpd, nobody) to yourself. Basically, if
httpd>php process run as nobody or apache in the past, now httpd will
start php as cgi in this way:

httpd > suexec(setUID to your user) > php as CGI

so all the places where TYPO3 expects to be able to write to
(/typo3conf, /typo3temp, etc) need to be accessible to your user
account for writing.

You need to make sure both owner and group for the files have changed
- phpsuexec in its default install will not run any file with owner or
group id < 500. This means a file owned by jorg:apache will not run.

The other strange effect you will experience is that immediately after
the switch, TYPO3 will throw all kind of errors related to
session-handling because the PHP session files created by the httpd
process as apache or nobody will not be readable by the new processes.
This problem will go away on its own once those sessions expire (4hr
default) and are harvested by tmpwatch or something similar.

You're in for a bit of a bumpy ride, but in the end you can get it
working. Unfortunately, you can't really prepare for the switch, so I
would expect an hour or so of downtime while you are fixing these
problems.

--
Dimitri Tarassenko

More information about the TYPO3-linux mailing list