[TYPO3-linux] Provider security changes

Jörg Schaller jorgo at jorgo.org
Fri Mar 17 16:35:17 CET 2006 

On Fri, 17 Mar 2006 10:30:23 -0500, "Dimitri Tarassenko"
<mitka at mitka.us> wrote:

Thank you, that was most helpful and extraordinarily quick!

>Jörg
>
>On 3/17/06, Jörg Schaller <jorgo at jorgo.org> wrote:
>> Hello all,
>>
>> I've received the following communication from my provider and I'd
>> like to know if Typo3 will still correctly work with the below
>> changes. Thanks for your answer!
>
>Yes, it would, however you'll need to a couple of things to make it happen.
>
>a-1) first of all, you better have shell access to this server. If you
>don't, things are much more complicated.
>
>a) if you did use php_value settings for, say, raising  the memory
>limit or altering the globals registration order (uncommented  these
>parameters in .htaccess shippied with the TYPO3 Dummy site), you need
>to follow their directions on moving these options to php.ini. Note
>that php.ini probably uses a different syntax, i.e.
>
>php_value blahblah 123
>
>becomes
>
>blahblah = 123
>
>b) you'll need to change ownership of all files in your installation
>owned by Apache process (httpd, nobody) to yourself. Basically, if
>httpd>php process run as nobody or apache in the past, now httpd will
>start php as cgi in this way:
>
>httpd > suexec(setUID to your user) > php as CGI
>
>so all the places where TYPO3 expects to be able to write to
>(/typo3conf, /typo3temp, etc) need to be accessible to your user
>account for writing.
>
>You need to make sure both owner and group for the files have changed
>- phpsuexec in its default install will not run any file with owner or
>group id < 500. This means a file owned by jorg:apache will not run.
>
>The other strange effect you will experience is that immediately after
>the switch, TYPO3 will throw all kind of errors related to
>session-handling because the PHP session files created by the httpd
>process as apache or nobody will not be readable by the new processes.
>This problem will go away on its own once those sessions expire (4hr
>default) and are harvested by tmpwatch or something similar.
>
>You're in for a bit of a bumpy ride, but in the end you can get it
>working. Unfortunately, you can't really prepare for the switch, so I
>would expect an hour or so of downtime while you are fixing these
>problems.

More information about the TYPO3-linux mailing list