From: Guy D. <da...@gu...> - 2003-12-23 15:53:43
|
Robert Day wrote: >G'Day. Just grabbed a copy of OPT, and while reading the install, I was >upset to find many PHP settings that were troubling... Yes, you pose >very valid arguments about the globals setting, but really, you should >fix that. Globals is off by default on all new PHP installs, and it >should remain that way. Especially on hosting servers. It is a security >risk for a hosting provider to enable globals, and most will not. Myself > I apologize for not doing a better job of keeping the INSTALL document up to date. The one currently included in the tarball was mostly written by the original authors of OPT (years ago) and contains some incorrect statements. One of these is that 'register_globals' needs to be 'on'. This is not correct. I'll revise this entire document before the next release. Thanks for pointing out this inconsistency. >included. I would be interested to know how much work would be involved >in fixing up OPT to work on default php installs... globals off, no >short-tags, no root MySQL access, etc. Does the setup allow you to skip >the DB Creation, and just populate the DB? Is there an easy way to deal > As mentioned above, OPT works fine with 'register_globals' off. It does require 'short-open-tag' to be on, but I would accept patches that change this. It does not require 'root' MySQL access. You can have OPT use a non-privileged user. (The INSTALL doc is incorrect about this as well) OPT can create it's databases, use existing empty ones, or even use existing, populated ones on install. >with config files that have to be written? (say packaging up the archive >with the config files world writeable, and then changing the perms after >the install?) > > One needs to only set Apache writeable perms during the installation. After that, one can set all files to read-only until the next upgrade. >I'd be interested in helping out if you need a hand with the workload >involved. i am going to install this locally for now on my system (PHP >5 beta, MySQl 4.1, and the CVS ver of Apache) and see how it runs, and >take a look at the code, to see how hard it will be to patch it for more >standard systems. And you could also consider using the php >safe_mode_exec_dir var to determine where the system commands will >reside, and that way, any comands that are allowed on the server can be >executed. Saves the need for global exec which should NEVER EVER be >enabled on a server, especially a hosting box. > I would be happy to receive patches that make use of this safe mode. I run OPT on Red Hat Linux systems. During an install of OPT, I only found a need to change the following three settings to allow for large file uploads: 1. memory_limit 2. post_max_size 3. upload_max_size Thanks for the feedback. Guy |