Bug#437836: phpbb3: Multiple installations are not supported due to caching functionality
Jamie Thompson
Version: 3.0.0~RC4-1
Severity: important
Hi. I thought I'd try out the phpbb3 package as I was sick of havign to clean out spam users and posts manually from phpbb2. I installed the package, took the database it created and set up two more using it. I then grabbed the install scripts from the upstream sources and ran the convertor, (eventually) ending up with a converted forum.
I then proceeded to set up the second forum, but found elements of the system corrupting each other and think I have identified the caching functionality that used the /cache folder to be the culprit, preventing multiple forums on a single installation as I used to use with phpbb2.
I suspect the source can be hacked so that caching goes in /tmp/phpbb3/$hash_of_dbsettings instead, which should solve/mitigate the problem, but that'll be for another day when I have some time to kill. Chances are though, if they aren't supporting multiple installations (unconfirmed), that other assumptions may cause less obvious problems.
-- System Information:
Debian Release: lenny/sid
APT prefers testing
APT policy: (900, 'testing'), (600, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 2.6.18-4-686 (SMP w/1 CPU core)
Locale: LANG=en_GB, LC_CTYPE=en_GB (charmap=ISO-8859-1)
Shell: /bin/sh linked to /bin/bash
Versions of packages phpbb3 depends on:
ii apache2 2.2.3-5 Next generation, scalable, extenda
ii apache2-mpm-prefork [ht 2.2.3-5 Traditional model for Apache HTTPD
ii dbconfig-common 1.8.35 common framework for packaging dat
ii debconf [debconf-2.0] 1.5.14 Debian configuration management sy
ii libapache-mod-php5 5.2.0-10+lenny1 server-side, HTML-embedded scripti
ii libapache2-mod-php4 6:4.4.4-9+lenny1 server-side, HTML-embedded scripti
ii mysql-client 5.0.45-1 MySQL database client (meta packag
ii mysql-client-5.0 [mysql 5.0.45-1 MySQL database client binaries
ii php4-mysql 6:4.4.4-9+lenny1 MySQL module for php4
Versions of packages phpbb3 recommends:
ii php4-gd 6:4.4.4-9+lenny1 GD module for php4
pn php5-imagick | php4-ima <none> (no description available)
ii postfix [mail-transport 2.4.3-1 High-performance mail transport ag
-- debconf information:
phpbb3/password-confirm: (password omitted)
phpbb3/mysql/app-pass: (password omitted)
phpbb3/pgsql/admin-pass: (password omitted)
phpbb3/mysql/admin-pass: (password omitted)
phpbb3/pgsql/app-pass: (password omitted)
phpbb3/app-password-confirm: (password omitted)
* phpbb3/database-type: mysql
* phpbb3/mysql/admin-user: root
phpbb3/remote/host:
phpbb3/db/basepath:
* phpbb3/httpd: apache2
* phpbb3/db/app-user: phpbb3
phpbb3/remove-error: abort
phpbb3/dbconfig-reinstall: false
* phpbb3/db/dbname: phpbb3
phpbb3/install-error: abort
phpbb3/upgrade-backup: true
phpbb3/dbconfig-upgrade: true
phpbb3/purge: false
* phpbb3/dbconfig-install: true
* phpbb3/mysql/method: unix socket
phpbb3/missing-db-package-error: abort
phpbb3/pgsql/changeconf: false
phpbb3/remote/newhost:
phpbb3/pgsql/manualconf:
phpbb3/dbconfig-remove:
phpbb3/internal/reconfiguring: false
phpbb3/internal/skip-preseed: false
phpbb3/pgsql/authmethod-user:
phpbb3/upgrade-error: abort
phpbb3/pgsql/admin-user: postgres
phpbb3/remote/port:
phpbb3/pgsql/authmethod-admin: ident
phpbb3/pgsql/no-empty-passwords:
phpbb3/passwords-do-not-match:
phpbb3/pgsql/method: unix socket
--
To UNSUBSCRIBE, email to debian-bugs-...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
Jamie Thompson
> You can very easily use multiple cache directories by editing the
> $cache_dir parameter in includes/acm/acm_file.php.
It's not quite that simple, as a few other things need to be done as well, as you can see in the patch I've attached.
These changes are working for me, (and have done now for a good few months). I've only just remembered to post them after a manual merge following the
last phpbb3 update (3.0.0 -> 3.0.1). My only concern would be if I'd found all the places required (the forum I run is very low traffic, so it's quite
possible problems wouldn't be noticed quickly, if indeed at all).....and perhaps the quality of the solution. ;)
That said, I run 3 forums off the same install with this, so I believe it to be good enough.
What would also be nice is a standardised Debian way of managing instances, as a lot Debian packages don't seem to support it very well (mediawiki and
phpbb2/3, I'm looking at you).
- Jamie
Jamie Thompson
tend to miss things like this...
No, I didn't have that message on my installation. My perms on that file were/are:
www-data:www-data 666
I've just updated to 3.0.2-3 and re-applied the patch, all seems to work fine as
before.
- Jamie
Daniel Rheinbay
Jamie Thompson wrote:
> Ok, sorry to Daniel for the delay,
no worries :)
> No, I didn't have that message on my installation.
Just for the sake of completeness (my initial mail didn't show up in
Debian's bug tracker): I receive an error message at the bottom of each
page saying
"Fatal error: Not able to
open ./cache/<dbname>/cache/assist/data_global.php
in /usr/share/phpbb3/www/includes/acm/acm_file.php on line 114"
I've changed the permissions to www-data:www-data 666, and made sure
that Apache is following symlinks, though that should not be the cause,
right?
Any further ideas, anyone? How would I go about debugging what the
actual error is? Looking at the source code of acm_file.php, the message
I receive appears to be the default message that's triggered when
something wrong and it's not quite clear what it was.
Any comments will be appreciated.
Thanks,
Daniel
Jamie Thompson
> Just for the sake of completeness (my initial mail didn't show up in
> Debian's bug tracker): I receive an error message at the bottom of each
> page saying
>
>> "Fatal error: Not able to
>> open ./cache/<dbname>/cache/assist/data_global.php
>> in /usr/share/phpbb3/www/includes/acm/acm_file.php on line 114"
>
> I've changed the permissions to www-data:www-data 666, and made sure
> that Apache is following symlinks, though that should not be the cause,
> right?
For what it's worth, on my forum sites the only pertinent settings I have are
(<sitename> replacing actual value):
php_value auto_prepend_file /etc/phpbb3/config_<sitename>.php
php_value session.cookie_domain <sitename>.jamie-thompson.co.uk
DocumentRoot /var/www/forum
<Directory />
...
Options FollowSymLinks MultiViews
...
</Directory>
> Any further ideas, anyone? How would I go about debugging what the
> actual error is? Looking at the source code of acm_file.php, the message
> I receive appears to be the default message that's triggered when
> something wrong and it's not quite clear what it was.
As for finding out your actual error, try removing the 'at' symbol from the
front of fopen - IIRC it disables error reporting in PHP
- Jamie
Daniel Rheinbay
> As for finding out your actual error, try removing the 'at' symbol from the
> front of fopen - IIRC it disables error reporting in PHP
[phpBB Debug] PHP Notice: in file /includes/acm/acm_file.php on line 97:
fopen() [function.fopen]: SAFE MODE Restriction in effect. The script
whose uid is 0 is not allowed to
access /var/cache/phpbb3/cache/phpbb3/data_global.php owned by uid" 33
[...]
Warning: fopen() [function.fopen]: SAFE MODE Restriction in effect. The
script whose uid is 0 is not allowed to
access /var/cache/phpbb3/cache/phpbb3/data_global.php owned by uid 33
in /usr/share/phpbb3/www/includes/acm/acm_file.php on line 97
Would you happen to run your boards with safe mode turned off? Given
that it's been removed in php6 (cf.
http://www.php.net/features.safe-mode , though not yet released) and
we'll upgrade at some point anyways, I guess we should consider turning
it off?
Cheers,
Thijs Kinkhorst
> Would you happen to run your boards with safe mode turned off? Given
> that it's been removed in php6 (cf. http://www.php.net/features.safe-mode ,
> though not yet released) and we'll upgrade at some point anyways, I guess
> we should consider turning it off?
safe_mode is not a real security solution, that is why PHP has abandoned
it for their 6.0 release and Debian doesn't treat bugs in the safe_mode
restrictions as being security-relevant. There's quite some documentations
on its shortcomings around the net.
It will only have benefits in very specific environments, and there are
much better ways to isolate applications on a host. open_basedir may help
somewhat, but a good solution would be to use suEXEC + FastCGI to run the
application under a dedicated user.
If turning it off resolves the problem for you I suggest you do that and
investigate better avenues for isolation.
Thijs
Daniel Rheinbay
thanks for your quick response.
I've actually read a bit of documentation before posting my previous
thread, thus my suggestion of turning it off.
Luckily, I am not relying on safe_mode at all: Apparently, it was the
default configuration that Debian's php5 packages were shipped with at
some point. Maybe this has changed since.
Cheers,
Daniel
Daniel Rheinbay
given that apparently the proposed patch works as long as safe_mode is
turned off, are there any other issues to be taken care of before this
patch can make it into the actual package?
Cheers,
Daniel
Thijs Kinkhorst
> Apparently, it was the default configuration that Debian's php5 packages
> were shipped with at some point. Maybe this has changed since.
I don't think they ever did, but at least they have not been doing that in
any stable release.
> given that apparently the proposed patch works as long as safe_mode is
> turned off, are there any other issues to be taken care of before this
> patch can make it into the actual package?
Yes, I'm not too fond of the creating dirs from the webapp that it does.
Besides that, Lenny needs to be released before we can make further
changes like these to the package. I will look into the proper patch
within a few weeks, when Lenny is out of the door.
cheers,