subik hosting platform family and friend web hostingSerious Problems with this site:
abuse@subik.at.removetherest.br

symfony 1.0.21 in safe mode

(this post is in English, for the non-german speaking readers in the symfony community)

Today I started the askeet tutorial to get more accustomed to work with symfony. I have no experience with programming symfony, but soon I’ll be responsible for keeping a symfony app running 24×7 which is actively developed by David.

Even when Safe Mode disappears in PHP6 I feel more comfortable to have it enabled, since it still safeguards PHP Apps against the easily exploited problems. I can recommend this paper anyway, since it explains safe mode rather well.

Here are my steps to run symfony with safe-mode enabled, and permissions rather limited than open.

  1. Install symfony via pear
  2. sudo chmod -R g-w /usr/share/php5/PEAR/symfony
  3. sudo chmod -R g-w /usr/share/php5/PEAR/data/symfony
  4. sudo chgrp -R www /usr/share/php5/PEAR/symfony
  5. sudo chgrp -R www /usr/share/php5/PEAR/data/symfony
  6. chmod -R g-w <yourwebproject>
  7. chmod -R o-rwx <yourwebproject>
  8. sudo chgrp -R www <yourwebproject>
  9. sudo chmod g+s <yourwebproject>
  10. chmod g+w <yourwebproject>/cache
  11. chmod g+w <yourwebproject>/log

this ensures the webserver has access to the needed resources, and no other process has access if the file is chmod o-rwx. This can be important if different uids are used to seperate a zope/python or mason/perl cms on the same machine and your symfony app.

Different from the tutorial I wasn’t using a vhost to get askeet running, but an alias in an already running vhost. As I changed that, I couldn’t run /sf as an Alias, as my Apache didn’t like nested Aliases. I added an Symlink to the folder sf (in my case /usr/share/php5/PEAR/data/symfony/web/sf) and enabled SymlinksIfOwnerMatch to the Folder Options in Apache.

As I have to enable access to every folder explicitly in my Apache Installation (opensuse 11.1) my apache configuration looked as follows (as a seperate file via conf.d (include directory):

<VirtualHost *:80>
ServerName insertvhostnamehere.tld
Alias /askeet /probablyyourwebprojectsfolder/askeet/web
<Directory /probablyyourwebprojectsfolder/askeet/web>

Order deny,allow
allow from all
Options SymlinksIfOwnerMatch

</Directory>
</VirtualHost>

Hope this helps you understand why I strip the “others” permissions from my web projects, and use the

safe_mode = On
safe_mode_gid = On

features. So nothing which isn’t for the web, gets to the web, and you can seperate projects easier even without using virtualization on your server, even a mail server on the same host shouldn’t have a chance to get to your symfony app, or the other way round.

In case you have problems implementing this try thinking as your process accessing everything, and watch ls -ld foldername and your servers error log very carefully. Most errors result in something being edited quickly as root, then being inaccessible b/c of the different gid of the file.

One Response Subscribe to comments


  1. Matthias

    I got informed this version is highly outdated, but I had no clue since it was offered me with the pear install symfony/symfony call (after adding the official channel of course).
    Maybe it is still of use for somebody ….

    Oct 02, 2009 @ 12:21 pm