ID: 36355 Updated by: [EMAIL PROTECTED] Reported By: jnavratil at houston dot rr dot com Status: Bogus Bug Type: OCI8 related Operating System: Fedora Core 4.2 PHP Version: 6CVS-2006-02-10 (snap) New Comment:
>Do you really think that apache should be a member of >the oracle group to run php5_module with OCI8? It doesn't matter what I think about it, this is *required* by oracle client libraries. >A friend, who has been a consultant with Oracle for the > last 10 years doesn't consider it kosher. Why do you tell me this? If you know how to avoid it (and still provide a way for OCI to read tnsnames.ora and other files) - tell it to Oracle people. > My client for whom I am developing a PHP/Oracle > application doesn't particularly like the idea of a PHP > script being able execute any Oracle binary it likes. Tell your client about open_basedir directive. Also I think it would be worth to read about unix privileges. You don't have to grant to the user both execute and read privileges in the same time. >Instant client is designed for accessing remote database servers. Wrong. It doesn't matter whether the server is local or not. >I don't know but now will have to learn it to find out. Yes, do it please. >Clearly OCI8 as currently written is pretty useless for a >production environment, at least if Oracle and Apache are >on the same server. Please direct your complaints to Oracle, it has nothing to do with PHP or ext/oci8. Previous Comments: ------------------------------------------------------------------------ [2006-02-10 19:46:44] jnavratil at houston dot rr dot com Do you really think that apache should be a member of the oracle group to run php5_module with OCI8? A friend, who has been a consultant with Oracle for the last 10 years doesn't consider it kosher. My client for whom I am developing a PHP/Oracle application doesn't particularly like the idea of a PHP script being able execute any Oracle binary it likes. Instant client is designed for accessing remote database servers. It may be the only way to provide the security needed. I don't know but now will have to learn it to find out. Clearly OCI8 as currently written is pretty useless for a production environment, at least if Oracle and Apache are on the same server. ------------------------------------------------------------------------ [2006-02-10 18:21:13] [EMAIL PROTECTED] OCI8 extension itself doesn't require any variables, access privileges etc. Those requirements are set by oracle client libraries, so there is nothing we can do about it. And personally I don't consider giving read permissions to apache user as dangerous. But you can use Oracle Instant Client that doesn't require nor ORACLE_HOME (or any other variables) to be set, neither read privileges for any oracle directories. See details here: http://www.oracle.com/technology/tech/oci/instantclient/instantclient.html No PHP bug -> bogus. ------------------------------------------------------------------------ [2006-02-10 18:14:46] jnavratil at houston dot rr dot com ORACLE_HOME is definitely being set before httpd is started. The /etc/sysconfig/httpd script is sourced at the start of the httpd init script (I also echoed $ORACLE_HOME to make sure). PHP CLI does connect successfully and now I believe I know why... The issue appears to be related to permissions and I am quickly getting out of my depth. When I run the PHP CLI test, I am running as 'oracle' or in my developer account which, for convenience, is a member of the 'oinstall' group. I added the 'oinstall' group to the 'apache' user ( usermod -Goinstall apache ) and was able to connect using the php5_module under apache. Obviously, giving apache this level of access to the oracle installation is dangerous and shouldn't be necessary. It suggests that the development of the oci8 extension may have been done with either a less secure Oracle installation or with an account having more Oracle privilege than it should. Would it be appropriate for the oci8 extension developers to look into this security issue? ------------------------------------------------------------------------ [2006-02-10 17:26:32] [EMAIL PROTECTED] Are you sure ORACLE_HOME is set *before you start* Apache? Does PHP CLI work? ------------------------------------------------------------------------ [2006-02-10 17:15:34] jnavratil at houston dot rr dot com ORACLE_HOME was set in /etc/sysconfig/httpd along with... ORACLE_BASE=/opt/app/oracle; export ORACLE_BASE ORACLE_HOME=$ORACLE_BASE/product/10.2.0/db_1; export ORACLE_HOME TNS_ADMIN=$ORACLE_BASE/product/10.2.0/db_1/network/admin; export TNS_ADMIN PATH=$ORACLE_HOME/bin:$PATH; export PATH LD_LIBRARY_PATH=$ORACLE_HOME/lib:/lib:/usr/lib; export LD_LIBRARY_PATH CLASSPATH=$ORACLE_HOME/JRE:$ORACLE_HOME/jlib:$ORACLE_HOME/rdbms/jlib; export CLASSPATH (As an aside, I experimented with these variables and *BELIEVE* ORACLE_HOME was the only one necessary, but I was running the CLI version) ORACLE_HOME permissions are set to 755. The patch to oci8.c consisted of adding... php_error_docref(NULL TSRMLS_CC, E_WARNING, getenv("ORACLE_HOME")); ... just below ... php_error_docref(NULL TSRMLS_CC, E_WARNING, PHP_OCI_INIT_FUNC_NAME "() failed. There is something wrong with your system - please check that ORACLE_HOME is set and points to the right directory"); ... to report the actual value into the /var/log/httpd/error_log. I then remade and installed PHP5. ------------------------------------------------------------------------ The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at http://bugs.php.net/36355 -- Edit this bug report at http://bugs.php.net/?id=36355&edit=1
