Bug#674091: php5: support configuration sets

Package: php5
Severity: wishlist


Hi.

This is basically regardless of the choosen SAPI, although it may
make the most sense with CGI.

Given that PHP is so inherently insecure, it's reasonable to tighten
the PHP configuration for each PHP program (e.g. forum, davical, etc.)
as far as possible.
On should also choose to execute each PHP program under a different
user, which is why the apache php module and FastCGI are really
horrible from a security point of view.

Nevertheless

1) Given that you've introduced /etc/php5/mods-available
I'd like to propose the following changes/definitions:
- /etc/php5/[SAPI]/
contains _GLOBAL_ configuration for the respective SAPI
which is (directly, in the sense of the file pathname) read by php.
most notably, of course, the respective php.ini

- /etc/php5/mods-available
contains config snippets from modules
which are NOT (directly) read by php.

- /etc/php5/conf.d
should be dropped and moved to /etc/php5/[SAPI]/conf.d

That has the advantage that all config is in one tree.
If no modifications are required for a given SAPI, on can simply
symlink to the respective files in mods-available.


Now php may be used in many places, not just webservers... and even if
used in a webserver... there may be differen PHP configuration for
different URI spaces (even in the same vhost).

Therefore, while the above /etc/php5/[SAPI]/ contains all default configs/modules:
- /etc/php5/custom/ should be a tree where the user is allowed to add any
non default configuration used anywhere.
I have for example something like:
├── custom
│   └── www
│   └── virtual-hosts
│   └── example.org
│ ├── forum
│ │  ├── cgi
│   │  │   ├── php.local.ini -> ../php.local.ini
│   │   │   ├── suhosin.ini -> ../suhosin.ini
│   │  │   └── suhosin.local.ini -> ../suhosin.local.ini
│  │ ├── php.local.ini
│  │ ├── suhosin.ini -> /etc/php5/conf.d/suhosin.ini
│  │ └── suhosin.local.ini
│   └── calendars
│  ├── cgi
│  │   ├── pdo.ini -> ../pdo.ini
│  │   ├── pdo_pgsql.ini -> ../pdo_pgsql.ini
│  │   ├── pgsql.ini -> ../pgsql.ini
│  │   ├── php.local.ini -> ../php.local.ini
│  │   ├── suhosin.ini -> ../suhosin.ini
│  │   └── suhosin.local.ini -> ../suhosin.local.ini
│  ├── pdo.ini -> /etc/php5/conf.d/pdo.ini
│  ├── pdo_pgsql.ini -> /etc/php5/conf.d/pdo_pgsql.ini
│  ├── pgsql.ini -> /etc/php5/conf.d/pgsql.ini
│  ├── php.local.ini
│  ├── suhosin.ini -> /etc/php5/conf.d/suhosin.ini
│  └── suhosin.local.ini


with different php.inis and differen module configs for differen paths.


As I noted in a recent bug, the PHP_INI_SCAN_DIR which you set per default
now to /etc/php5/conf.d can be used to point to these directories
where custom configuration can be applied.
If the user resets PHP_INI_SCAN_DIR that default (/etc/php5/conf.d)
will no longer be read...


Cheers,
Chris.








Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.17-heisenberg (SMP w/2 CPU cores; PREEMPT)
Locale: LANG=en_DE.UTF-8, LC_CTYPE=en_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash



To UNSUBSCRIBE, email to debian-bugs-dist-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org