ID: 36355 Updated by: [EMAIL PROTECTED] Reported By: jnavratil at houston dot rr dot com -Status: Open +Status: Bogus Bug Type: OCI8 related Operating System: Fedora Core 4.2 PHP Version: 6CVS-2006-02-10 (snap) New Comment:
OCI8 extension itself doesn't require any variables, access privileges etc. Those requirements are set by oracle client libraries, so there is nothing we can do about it. And personally I don't consider giving read permissions to apache user as dangerous. But you can use Oracle Instant Client that doesn't require nor ORACLE_HOME (or any other variables) to be set, neither read privileges for any oracle directories. See details here: http://www.oracle.com/technology/tech/oci/instantclient/instantclient.html No PHP bug -> bogus. Previous Comments: ------------------------------------------------------------------------ [2006-02-10 18:14:46] jnavratil at houston dot rr dot com ORACLE_HOME is definitely being set before httpd is started. The /etc/sysconfig/httpd script is sourced at the start of the httpd init script (I also echoed $ORACLE_HOME to make sure). PHP CLI does connect successfully and now I believe I know why... The issue appears to be related to permissions and I am quickly getting out of my depth. When I run the PHP CLI test, I am running as 'oracle' or in my developer account which, for convenience, is a member of the 'oinstall' group. I added the 'oinstall' group to the 'apache' user ( usermod -Goinstall apache ) and was able to connect using the php5_module under apache. Obviously, giving apache this level of access to the oracle installation is dangerous and shouldn't be necessary. It suggests that the development of the oci8 extension may have been done with either a less secure Oracle installation or with an account having more Oracle privilege than it should. Would it be appropriate for the oci8 extension developers to look into this security issue? ------------------------------------------------------------------------ [2006-02-10 17:26:32] [EMAIL PROTECTED] Are you sure ORACLE_HOME is set *before you start* Apache? Does PHP CLI work? ------------------------------------------------------------------------ [2006-02-10 17:15:34] jnavratil at houston dot rr dot com ORACLE_HOME was set in /etc/sysconfig/httpd along with... ORACLE_BASE=/opt/app/oracle; export ORACLE_BASE ORACLE_HOME=$ORACLE_BASE/product/10.2.0/db_1; export ORACLE_HOME TNS_ADMIN=$ORACLE_BASE/product/10.2.0/db_1/network/admin; export TNS_ADMIN PATH=$ORACLE_HOME/bin:$PATH; export PATH LD_LIBRARY_PATH=$ORACLE_HOME/lib:/lib:/usr/lib; export LD_LIBRARY_PATH CLASSPATH=$ORACLE_HOME/JRE:$ORACLE_HOME/jlib:$ORACLE_HOME/rdbms/jlib; export CLASSPATH (As an aside, I experimented with these variables and *BELIEVE* ORACLE_HOME was the only one necessary, but I was running the CLI version) ORACLE_HOME permissions are set to 755. The patch to oci8.c consisted of adding... php_error_docref(NULL TSRMLS_CC, E_WARNING, getenv("ORACLE_HOME")); ... just below ... php_error_docref(NULL TSRMLS_CC, E_WARNING, PHP_OCI_INIT_FUNC_NAME "() failed. There is something wrong with your system - please check that ORACLE_HOME is set and points to the right directory"); ... to report the actual value into the /var/log/httpd/error_log. I then remade and installed PHP5. ------------------------------------------------------------------------ [2006-02-10 16:33:38] [EMAIL PROTECTED] How do you set ORACLE_HOME and did you set any other environment variables? Is ORACLE_HOME dir readable by the user httpd uses for its childs? What do you mean by "patched oci8.c"? ------------------------------------------------------------------------ [2006-02-10 16:12:48] jnavratil at houston dot rr dot com Description: ------------ OCIEnvNlsCreate() failed. Message asks to check that ORACLE_HOME is set correctly. I've downloaded the latest snapshot ('php5.1-200602101330') and patched oci8.c to report getenv("ORACLE_HOME") into the error_log and verified that it is correct. CLI version will properly connect, php5_module through Apache will not. Configuration script to build php is: ./configure \ --cache-file=../config.cache \ --with-config-file-path=/etc \ --with-config-file-scan-dir=/etc/php.d \ --disable-debug \ --disable-rpath \ --with-bz2 \ --with-curl \ --with-gd --with-freetype-dir=/usr --with-png-dir=/usr --with-jpeg-dir=/usr --enable-gd-native-ttf \ --with-gettext \ --with-gmp \ --with-iconv \ --with-openssl --with-kerberos \ --with-pspell=/usr \ --with-pcre-regex=/usr \ --with-zlib \ --with-layout=GNU \ --enable-exif \ --enable-ftp \ --enable-magic-quotes \ --enable-sockets \ --enable-sysvsem \ --enable-sysvshm \ --enable-sysvmsg \ --enable-shmop \ --enable-wddx \ --with-pear=/usr/share/pear \ --enable-ucd-snmp-hack \ --enable-memory-limit \ --enable-calendar \ --with-mime-magic=/etc/httpd/conf/magic \ --without-sqlite \ --with-libxml-dir=/usr \ --with-xml \ --with-apxs2=/usr/sbin/apxs \ --without-mysql \ --without-odbc \ --disable-dba \ --with-oci8=/opt/app/oracle/product/10.2.0/db_1 Reproduce code: --------------- $dbh = OCILogon('my-user', 'my-pwd', 'my-db'); Expected result: ---------------- I expect a valid database resource Actual result: -------------- $dbh is boolean false. Error_log contains: [Fri Feb 10 08:58:58 2006] [error] [client 127.0.0.1] PHP Warning: ocilogon() [<a href='function.ocilogon'>function.ocilogon</a>]: OCIEnvNlsCreate() failed. There is something wrong with your system - please check that ORACLE_HOME is set and points to the right directory in /opt/www/html/listViews.php on line 3 [Fri Feb 10 08:58:58 2006] [error] [client 127.0.0.1] PHP Warning: ocilogon() [<a href='function.ocilogon'>function.ocilogon</a>]: /opt/app/oracle/product/10.2.0/db_1 in /opt/www/html/listViews.php on line 3 Note: '/opt/app/oracle/product/10.2.0/db_1' is my correct ORACLE_HOME and is reported using getenv("ORACLE_HOME"). ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=36355&edit=1
