Koozali.org: home of the SME Server

[ANNOUNCE] SME Site Maker (now with full MySQL support)

Offline Normando

  • *
  • 841
  • +2/-1
    • Unixlan
[ANNOUNCE] SME Site Maker (now with full MySQL support)
« on: April 07, 2007, 01:18:05 AM »
I have finished this script.
This allow you to configure your new web site directory and configuration files automatically.

This is the solution for beginner to make your web sites available on the web,  under /opt directory.

I also create a wiki page where you can download:

http://wiki.contribs.org/SME_Site_Maker

Please, inform any bugs.
Thanks

Offline william_syd

  • ****
  • 1,608
  • +0/-0
  • Nothing to see here.
    • http://www.magicwilly.info
[ANNOUNCE] SME Site Maker (now with full MySQL support)
« Reply #1 on: April 07, 2007, 07:43:38 AM »
Great.

Didn't see an option for
Code: [Select]
php_admin_value open_basedir

A large number of questions about php web apps seem to be related to it.
Regards,
William

IF I give advise.. It's only if it was me....

Offline Normando

  • *
  • 841
  • +2/-1
    • Unixlan
[ANNOUNCE] SME Site Maker (now with full MySQL support)
« Reply #2 on: April 07, 2007, 08:13:26 AM »
Quote from: "william_syd"
Great.

Didn't see an option for
Code: [Select]
php_admin_value open_basedir

A large number of questions about php web apps seem to be related to it.


I think about open_basedir option, but searching the default configuration of SME I found it is only necesary for ibays, because SME restricted scripts access within ibay, but not for scripts run under other directorys (ex. /opt).
Then, the script can access any dir. The most importat is /tmp to store sessions.
Well, maybe I wrong. Can you confirm my "thesis"?  :D

The script have a big potential. Adding more functions is possible to create mysql DB automatically, set more variables, etc.
 I think to make two choices at the begining. One is for "Basic" configurations, more adapted for newbyes, and an "Advanced" only for experts.

Well, thank you for your comments. Of course, you can modify and beautify the script

Offline cactus

  • *
  • 4,880
  • +3/-0
    • http://www.snetram.nl
[ANNOUNCE] SME Site Maker (now with full MySQL support)
« Reply #3 on: April 07, 2007, 09:37:54 AM »
Quote from: "PicsOne"
I think about open_basedir option, but searching the default configuration of SME I found it is only necesary for ibays, because SME restricted scripts access within ibay, but not for scripts run under other directorys (ex. /opt).
Then, the script can access any dir. The most importat is /tmp to store sessions.
Well, maybe I wrong. Can you confirm my "thesis"?  :D
You are partly right, taht SME Server only configures PHPBaseDir restrictions for ibays. SME Server uses a template snippet (95AddType00PHP2ibays) to configure the basedir restriction for ibays. Have a look at the fragment to see how they do it. Basically it boils down to this:

If PHP is enabled and there is no PHPBaseDir definition for the ibay it is restricted to it's own sandbox, if a PHPBaseDir is defined this value is set .

You should do something analogue like that as you are now compromising the security of the system that the developers have so carefully build in, although I know the PHPBaseDir restriction is not such a watertight security measure.
Be careful whose advice you buy, but be patient with those who supply it. Advice is a form of nostalgia, dispensing it is a way of fishing the past from the disposal, wiping it off, painting over the ugly parts and recycling it for more than its worth ~ Baz Luhrmann - Everybody's Free (To Wear Sunscreen)

Offline judgej

  • *
  • 375
  • +0/-0
[ANNOUNCE] SME Site Maker (now with full MySQL support)
« Reply #4 on: April 07, 2007, 11:12:26 AM »
Quote from: "PicsOne"

Then, the script can access any dir. The most importat is /tmp to store sessions.


Nearly. If PHP uses /tmp to store sessions, then it makes no difference whether base_dir restrictions are in effect or not, since the session saving does not involve your script reading or writing /tmp directly.

Where some applications fall down, is that they try to copy uploaded files directly out of /tmp, instead of using the PHP function that is designed specifically to do that for them.

I've said it many times, and will say it again: opening up the sandbox is a security risk, and should not be done without absoultely knowing what you are doing. No web application should need access to the system global /tmp area. What possible reasons should a common web application have for being able to read *other* applications and system-wide temporary files?

-- JJ
-- Jason

Offline cactus

  • *
  • 4,880
  • +3/-0
    • http://www.snetram.nl
[ANNOUNCE] SME Site Maker (now with full MySQL support)
« Reply #5 on: April 07, 2007, 11:19:42 AM »
Quote from: "judgej"
Nearly. If PHP uses /tmp to store sessions, then it makes no difference whether base_dir restrictions are in effect or not, since the session saving does not involve your script reading or writing /tmp directly.
Really, that is news to me as there are some PHP functions that are used for sessiosn and they should apply to the basedir ruleset as they are PHP code.
Quote from: "judgej"
Where some applications fall down, is that they try to copy uploaded files directly out of /tmp, instead of using the PHP function that is designed specifically to do that for them.
These functions fall under the same restriction as before mentioned session functions AFAIK.

Quote from: "judgej"
I've said it many times, and will say it again: opening up the sandbox is a security risk, and should not be done without absoultely knowing what you are doing. No web application should need access to the system global /tmp area. What possible reasons should a common web application have for being able to read *other* applications and system-wide temporary files?
There you have a point, with which I agree, although the PHP BaseDir restriction still improves security it does not exclude all misuse. There is also perl, and perl scripts are not restricted by the PH BaseDir setting, let alone perl not having such a restriction available.
Be careful whose advice you buy, but be patient with those who supply it. Advice is a form of nostalgia, dispensing it is a way of fishing the past from the disposal, wiping it off, painting over the ugly parts and recycling it for more than its worth ~ Baz Luhrmann - Everybody's Free (To Wear Sunscreen)

Offline Normando

  • *
  • 841
  • +2/-1
    • Unixlan
[ANNOUNCE] SME Site Maker (now with full MySQL support)
« Reply #6 on: April 07, 2007, 04:13:52 PM »
Thank for all replies.

Related to open_basedir restriction, there are a lof of posts saying about modify basedir to allow access to the /tmp dir, because PHP set this default directory to store sessions. A really good mesure to avoid security risk is tell to PHP to store sessions in the current directory. Maybe with php_admin_value or flag in an .htaccess file, but I don't know if it is possible

Now I have added open_basedir restriction with option to change in configuration time, but alert about security risk.

This is the code I added:

Code: [Select]
obd="$f_root"
        clear
        echo
        echo "Do you want to modify open_basedir restriction?"
        echo "Default give php access only to local siteroot ($f_root)"
        echo "Use with care, this is a security risk"
        echo "(Y/N/Enter)"
        echo ":"
read YESNO
case "$YESNO" in
"Y" | "y" )
f_obd="1";;
"N" | "n" )
f_obd="0";;
*)
f_obd="0";;
esac

if [ "$f_obd" = "1" ]
then
clear

ANSWER=1
while [ $ANSWER = 1 ]
do
        clear
        echo
        echo "Please enter the directory you want to allow PHP can access."
        echo "If you specify more than one, separate with \":\""
        echo "Example: /dir_one:/dir_two"
        echo ":"

read open_bd
if [  "$open_bd"  != "" ]
then
obd=$open_bd
ANSWER=0
else
    clear
        echo
        echo "You have not provide a directory name. Hit enter to try again"
read x
fi
done
fi


and final step:

Code: [Select]
echo "php_admin_value open_basedir $obd" >> $c_file

Thanks

Offline Normando

  • *
  • 841
  • +2/-1
    • Unixlan
[ANNOUNCE] SME Site Maker (now with full MySQL support)
« Reply #7 on: April 09, 2007, 10:42:07 AM »
I have upload the new version with full MySQL support. (v1.5)
You can now create you DB automatically, and set the use and password. Also added full privileges for the user for the database. If the user or database already axist, then you have the choice of drop and create a new one, or no modify anything. In the case of user, if exist the script only add privileges for the new database you have created.

Please, test and report any bugs.

Thanks

Offline Normando

  • *
  • 841
  • +2/-1
    • Unixlan
[ANNOUNCE] SME Site Maker (now with full MySQL support)
« Reply #8 on: April 10, 2007, 09:34:18 AM »
New version 1.7

# Author: Normando Hall (PicsOne)
# nhall@unixlan.com.ar
#
# Status
# Version: 1.7
# 10/04/2007  (d/m/Y)
#
#
# Changelog
#
# 1.7 (by Normando Hall)
# Fix some bugs with MySQL database and users already exists
# Set debug output to /opt
# Added SME6 support
# Improve some functions
# Stylize prompt
#
# 1.5 (by Normando Hall)
# Fix some bugs with CGI dir
# Added full mysql support
#
# 1.1 (by Normando Hall)
# Added php open_basedir restriction
# Set debug variable
#
# 1.0 (by Normando Hall)
# Initial release

Offline haymann

  • *
  • 212
  • +0/-0
[ANNOUNCE] SME Site Maker (now with full MySQL support)
« Reply #9 on: May 09, 2007, 04:19:25 AM »
Am I the only moron that needs more info to get this going? I need some help with this step
Quote
Untar and execute
I've got the untar part fine, but none of the steps that I have found from Google seem to work... I don't know what to do with the SMESiteMaker file that is left after untaring...
Thanks!

Also, I don't know if I understand how this all works. Do you run this script each time that something is to be installed?
Ryan

Offline haymann

  • *
  • 212
  • +0/-0
[ANNOUNCE] SME Site Maker (now with full MySQL support)
« Reply #10 on: May 09, 2007, 04:22:49 AM »
:oops: Posted to quick...
Code: [Select]
./SMESiteMakerseems to do the trick...

Offline Normando

  • *
  • 841
  • +2/-1
    • Unixlan
[ANNOUNCE] SME Site Maker (now with full MySQL support)
« Reply #11 on: May 09, 2007, 07:59:57 AM »
Hello hymann.

I have update the wiki to resolve any dude about SMESiteMaker.
Please, visit at http://wiki.contribs.org/SME_Site_Maker
Quote
Also, I don't know if I understand how this all works. Do you run this script each time that something is to be installed?

No, run only one time when you create a site the first time.

Offline haymann

  • *
  • 212
  • +0/-0
[ANNOUNCE] SME Site Maker (now with full MySQL support)
« Reply #12 on: May 09, 2007, 08:05:56 PM »
Quote from: "PicsOne"
I have update the wiki to resolve any dude about SMESiteMaker.
Please, visit at http://wiki.contribs.org/SME_Site_Maker
Thank you, that helps those of us that are still learning the command line stuff!
Quote
No, run only one time when you create a site the first time.
I understand now (I think), I tried last night and it looks like you would want to run this every time you are creating a new site. I tried installing roundcube (I know there are a few contribs for this, but I want to access it by domain.name/email instead of domain.name/roundcube...), but I messed something up. It might have been wrong to try to force it to use SSL? Anyway, I'll keep playing, thanks for the handy tool.
Ryan

Offline Normando

  • *
  • 841
  • +2/-1
    • Unixlan
[ANNOUNCE] SME Site Maker (now with full MySQL support)
« Reply #13 on: May 09, 2007, 11:32:24 PM »
Thanks hymann.
I have updated the wiki again  :D

Offline Normando

  • *
  • 841
  • +2/-1
    • Unixlan
[ANNOUNCE] SME Site Maker (now with full MySQL support)
« Reply #14 on: May 10, 2007, 06:20:57 PM »
Thank you for your wiki edit!!!!  :mrgreen: