PHP Configuration
From Campus Web Server Help
Some will find it helpful to create custom php.ini files. This can introduce more security risks if care and consideration is not given to each provision (or lack thereof) in the file. For example, allowing url_fopen can be very dangerous. One nice thing about using a custom php.ini file is the ability to log PHP errors to some place like your logs directory.
To create your own php.ini file, you must do the following:
- place your php.ini file in /usr/www/$env/$username/etc
- Modify /usr/www/$env/$username/wrappers/php-cgi to look like this
#!/bin/sh export PHPRC="/usr/www/$username/etc" exec /usr/bin/php-cgi $@
Since this is a CGI script, the owner executable bit must be set. The script and the directory cannot be writable by anyone but the owner. The wrappers directory must be executable by anyone. More information about permissions is available. From the command line, you can set the permissions this way:
chmod 700 /usr/www/$env/$username/wrappers/php-cgi chmod 711 /usr/www/$env/$username/wrappers
This must be done in each environment (development, staging and production).
Since php-cgi processes are only die after some time or a certain number of requests, you must simply wait for your new php.ini to be utilized. These processes are definitely restarted daily at 4:00AM. We foresee the need for a tool which allows developers to restart their own php-cgi processes.
Server administrators reserve the right to limit resource usage and kill processes to maintain system stability and security.
Under the covers, Apache switches the from it's normal effective user to that defined in the Apache suexecusergroup setting before running this php-cgi script. The php-cgi script is the actual interpreter of the PHP code. This is unlike the Apache module PHP interpreter, mod_php, that you will find on many setups. Apache's "suexec" feature ensures that all code executed by Apache on behalf of web visitors is run as the script owner. Then, Unix file permissions and security applies, rather than leaving security to PHP/Apache. Also, this script is run using mod_fcgid. FCGI allows the script to continue listenting for reqeusts, rather than loading the interpreter each time. The other advantage of suexec is that we can use system limits on individual users, show which user is consuming CPU/RAM, and who created which files.
