The PHP settings “safe_mode” and “open_basedir” seems to be popular ways for ISPs to configure their public servers. The point is to prevent customers from peaking in and changing each others PHP applications. This is good of course but can make systems like TYPO3 choke on certain features.
This section tries to describe some experiences with safe_mode and open_basedir. I (kasper) am not an expert in this but at least this is my findings on these issues. It all applies to TYPO3 version 3.6.0
;
; Safe Mode
;
safe_mode = On
; By default, Safe Mode does a UID compare check when
; opening files. If you want to relax this to a GID compare,
; then turn on safe_mode_gid.
safe_mode_gid = Off
; When safe_mode is on, UID/GID checks are bypassed when
; including files from this directory and its subdirectories.
; (directory must also be in include_path or full path must
; be used when including)
safe_mode_include_dir =
; When safe_mode is on, only executables located in the safe_mode_exec_dir
; will be allowed to be executed via the exec family of functions.
safe_mode_exec_dir = /www/htdocs/smexec/
; open_basedir, if set, limits all file operations to the defined directory
; and below. This directive makes most sense if used in a per-directory
; or per-virtualhost web server configuration file. This directive is
; *NOT* affected by whether Safe Mode is turned On or Off.
open_basedir = /www/htdocs/typo3/
The settings above is what I have tested with. This are some consequences:
Script permissions: When “safe_mode” is on, all scripts and files must be owned by the same user as the PHP script is executed as! Generally this seems to cause trouble for people, but TYPO3 cannot be changed to internally to make this better - you have to fix the script ownerships.One possibility is if “safe_mode_gid” is “On” - then only the group membership is required to match the one of the PHP-script execution user.
Working inside site root: “open_basedir” means that PHP cannot read/write files outside of the directory configured, in this case “/www/htdocs/typo3/”. TYPO3 in version 3.6.0 has been fixed so all file operations on temporary files goes on inside the typo3temp/ folder and never the “/tmp/” folder on the system. So this should not cause trouble anymore.
External programs: ImageMagick, diff, unzip, tar, pdftotext and whatever external programs are used by TYPO3 must be found in this folder (or have symlinks in there!). It seems like PHP allows to use some “virtual path” a la “/usr/local/php/bin” as an “alias” for this path.
Anyways, my experiences follows next.
Generally, everything in TYPO3 can work under safe_mode and open_basedir as long as the script permissions are correct. Notice, this is not something TYPO3 can do better or worse; for a working TYPO3 system there must be access to writing files and directories in the filesystem and this is done by plain PHP functions.
In my case my webserver runs as the user “www-data” and I'm editing scripts with the user “agentk”. In order to make this work seemlessly I follow this permission scheme:
agentk is a member of the group “www-data” and “www-data” is a member of group “agentk”
All files are owned by “agentk” and group is “www-data” - or vice versa. If you have a single user as owner/group on scripts they may not be able to access files and folders owned by the other user. In other words, even if you set “safe_mode_gid” to “on” PHP scripts with ownership “agentk.agentk” cannot access any file with ownership “www-data.www-data” even if “agentk” and “www-data” is included in the group of the other.
All files and directories that require write access has the permission 775 so the group can write.
If this setting is set you should not experience any problems but you will probably not be able to mount paths outside of this path. TYPO3 is in fact able to mount any filepath on the server but by this setting that will be prevented effective; all you can do is relative operations, which should be OK for most cases.
In my settings this was “/www/htdocs/smexec/” and inside of this directory on my Linux box I put symlinks to various programs that TYPO3 uses. You should/can do the same on your system:
drwxr-xr-x 2 root root 4096 Jan 28 18:43 ./
drwxr-xr-x 18 httpd httpd 4096 Jan 28 17:27 ../
lrwxrwxrwx 1 root root 22 Jan 28 17:29 combine -> /usr/X11R6/bin/combine*
lrwxrwxrwx 1 root root 22 Jan 28 17:29 convert -> /usr/X11R6/bin/convert*
lrwxrwxrwx 1 root root 23 Jan 28 17:29 identify -> /usr/X11R6/bin/identify*
lrwxrwxrwx 1 root root 13 Jan 28 18:15 diff -> /usr/bin/diff*
lrwxrwxrwx 1 root root 8 Jan 28 18:19 tar -> /bin/tar*
lrwxrwxrwx 1 root root 14 Jan 28 18:28 unzip -> /usr/bin/unzip*
lrwxrwxrwx 1 root root 16 Jan 28 18:21 pdfinfo -> /usr/bin/pdfinfo*
lrwxrwxrwx 1 root root 18 Jan 28 18:21 pdftotext -> /usr/bin/pdftotext*
-rwxr-xr-x 1 3764 users 307841 Jan 7 08:36 tidy*
The point is that TYPO3 is allowed to execute external binaries only if found in this folder! The symlink is enough, you don't have to actually move the programs.
Theoretically you should now set up paths to the programs in TYPO3 but it turns out that any path you apply in front of the filename of a binary you try to call with exec() in PHP will have its path stripped off and the “safe_mode_exec_dir” applied instead! This means that you don't have to worry about paths - just make sure all your applications are symlinked in there. (And you cannot put them in sub-folders to “safe_mode_exec_dir”!)
It seems that exactly this setting (safe_mode_exec_dir) makes it possible for ISPs to offer ImageMagick (and the other applications) to their customers without compromising safety. What they simply do is to install the applications on the server, then in the “safe_mode_exec_dir” that applies to their customers they put symlinks to these applications. See the listing above.
If you have an ISP which do not know how to help you overcome this problem, try to show him this description and that might help him to understand how easy it will be.
When you have configured TYPO3 to write to Apache-style log files you will see it fail with “safe_mode” since the “echo” command on Unix cannot be executed to add a new line to the log.
This can easily be fixed (and should work on Windows as well!) by simply setting this new configuration directive:
$GLOBALS['TYPO3_CONF_VARS']['FE']['logfile_write'] = 'fputs';
Talking about safe_mode_exec_dir - this is the list of programs that the core of TYPO3 wants to have (or have symlinks to) in the “safe_mode_exec_dir”. Of course this is also true for non-safe_mode systems;
These are “ImageMagick” that TYPO3 uses to scale images. For a long time version 4.2.9 has been recommended and preferred but don't go to the end of the world for this! Today all recent versions of ImageMagick 5 seems to work as well although they require some configuration in TYPO3s Install Tool to generate all output correctly.
This is how my Install Tool found these files after symlinking:
Used when you click the icon of a “.tar” or “.zip” file in the Filelist module and select “Info”. In the “View Item” box you will see the list of files inside if these are present:
A program that can be used to clean up the frontend output code from TYPO3. Can be configured with $TYPO3_CONF_VARS['FE']['tidy'] and other options.
Not used by the core by the “indexed_search” extension. Also “catdoc” is used. But there could be others. In any case; they have to be in the “safe_mode_exec_dir” if they are used by TYPO3!
In the old days TYPO3 used “cp” for copying files and “mv” for moving or renaming and “rm” for deleting files.
First of all the PHP-equivalents are always used on Windows. On UNIX PHP-functions will be used if $GLOBALS['TYPO3_CONF_VARS']['BE']['usePHPFileFunctions']; is set true which it is by default.
For the completeness of this list I just mention these applications. You probably don't have to think more about this now.
