On Fri, May 23, 2008 at 9:08 PM, Mike McGrath mmcgrath@redhat.com wrote:
On Fri, 23 May 2008, Jeffrey Tadlock wrote:
Change 'allow_url_fopen' to Off.
Set 'expose_php' to Off.
Set 'display_errors' to Off
Set the upload_tmp_dir to a location that is only accessible by the
user running MediaWiki and not readable or writeable by anyone else as well as being outside the web root.
disable_functions = "apache_get_modules,apache_get_version,apache_getenv,apache_note, apache_setenv,disk_free_space,diskfreespace,dl,
highlight_file,ini_alter,ini_restore,openlog,passthru,phpinfo,
proc_nice,shell_exec,show_source,symlink,system,exec,fsockopen, dl,popen"
php_admin_value open_basedir /var/www/wiki:/location/of/upload/tmp/dir
These are all fine with me.
I made most of these changes tonight on publictest2. There were two exceptions.
I did not change the 'display_errors' as it is useful for the testing going on.
'open_basedir' is causing issues with the user's page (i.e. clicking the jeffreyt link at the top of the page), when it is enabled it just goes to a blank page. The same happens with the Infrastructure page as well. Everything else seemed to work well with it enabled. I will play with that on a vanilla install at home and see what is up with that.
Everything else has been modified.
If something has broken and I missed it, feel free to ping me (iWolf) on IRC. If I am not around you can grab the original php.ini file from my home directory under the php-sec directory. Just copy it to /etc/php.ini and bounce apache and you will be back to the way it was before I made the changes. Please let me know if you need to do that though, so I can look at it further.
Thanks, Jeffrey