[php-maint] Bug#674091: php5: support configuration sets

Christoph Anton Mitterer calestyo at scientia.net
Wed May 23 01:26:53 UTC 2012

Package: php5
Severity: wishlist


This is basically regardless of the choosen SAPI, although it may
make the most sense with CGI.

Given that PHP is so inherently insecure, it's reasonable to tighten
the PHP configuration for each PHP program (e.g. forum, davical, etc.)
as far as possible.
On should also choose to execute each PHP program under a different
user, which is why the apache php module and FastCGI are really
horrible from a security point of view.


1) Given that you've introduced /etc/php5/mods-available
I'd like to propose the following changes/definitions:
- /etc/php5/[SAPI]/
  contains _GLOBAL_ configuration for the respective SAPI
  which is (directly, in the sense of the file pathname) read by php.
  most notably, of course, the respective php.ini

- /etc/php5/mods-available
  contains config snippets from modules
  which are NOT (directly) read by php.

- /etc/php5/conf.d
  should be dropped and moved to /etc/php5/[SAPI]/conf.d

That has the advantage that all config is in one tree.
If no modifications are required for a given SAPI, on can simply
symlink to the respective files in mods-available.

Now php may be used in many places, not just webservers... and even if
used in a webserver... there may be differen PHP configuration for
different URI spaces (even in the same vhost).

Therefore, while the above /etc/php5/[SAPI]/ contains all default configs/modules:
- /etc/php5/custom/ should be a tree where the user is allowed to add any
non default configuration used anywhere.
I have for example something like:
├── custom
│   └── www
│       └── virtual-hosts
│           └── example.org
│               ├── forum
│               │   ├── cgi
│               │   │   ├── php.local.ini -> ../php.local.ini
│               │   │   ├── suhosin.ini -> ../suhosin.ini
│               │   │   └── suhosin.local.ini -> ../suhosin.local.ini
│               │   ├── php.local.ini
│               │   ├── suhosin.ini -> /etc/php5/conf.d/suhosin.ini
│               │   └── suhosin.local.ini
│               └── calendars
│                   ├── cgi
│                   │   ├── pdo.ini -> ../pdo.ini
│                   │   ├── pdo_pgsql.ini -> ../pdo_pgsql.ini
│                   │   ├── pgsql.ini -> ../pgsql.ini
│                   │   ├── php.local.ini -> ../php.local.ini
│                   │   ├── suhosin.ini -> ../suhosin.ini
│                   │   └── suhosin.local.ini -> ../suhosin.local.ini
│                   ├── pdo.ini -> /etc/php5/conf.d/pdo.ini
│                   ├── pdo_pgsql.ini -> /etc/php5/conf.d/pdo_pgsql.ini
│                   ├── pgsql.ini -> /etc/php5/conf.d/pgsql.ini
│                   ├── php.local.ini
│                   ├── suhosin.ini -> /etc/php5/conf.d/suhosin.ini
│                   └── suhosin.local.ini

with different php.inis and differen module configs for differen paths.

As I noted in a recent bug, the PHP_INI_SCAN_DIR which you set per default
now to /etc/php5/conf.d can be used to point to these directories
where custom configuration can be applied.
If the user resets PHP_INI_SCAN_DIR that default (/etc/php5/conf.d)
will no longer be read...


-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.17-heisenberg (SMP w/2 CPU cores; PREEMPT)
Locale: LANG=en_DE.UTF-8, LC_CTYPE=en_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

More information about the pkg-php-maint mailing list