1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-12-22 13:30:55 +01:00

Improve setup process to detect 'open_basedir', 'date.timezone' and 'safe_mode'

problems

Summary: Detect more PHP misconfigurations in setup.
Test Plan: Broke my configuration, ran setup, it seemed to detect all the
problems and issue meaningful error messages.
Reviewed By: jungejason
Reviewers: hunterbridges, 10098, jungejason, tuomaspelkonen, aran
CC: aran, jungejason
Differential Revision: 717
This commit is contained in:
epriestley 2011-07-24 11:59:16 -07:00
parent da8beefa6c
commit 26bca41828
2 changed files with 113 additions and 2 deletions

View file

@ -31,6 +31,93 @@ class PhabricatorSetup {
self::write("This setup mode will guide you through setting up your ". self::write("This setup mode will guide you through setting up your ".
"Phabricator configuration.\n"); "Phabricator configuration.\n");
self::writeHeader("CORE CONFIGURATION");
// NOTE: Test this first since other tests depend on the ability to
// execute system commands and will fail if safe_mode is enabled.
$safe_mode = ini_get('safe_mode');
if ($safe_mode) {
self::writeFailure();
self::write(
"Setup failure! You have 'safe_mode' enabled. Phabricator will not ".
"run in safe mode, and it has been deprecated in PHP 5.3 and removed ".
"in PHP 5.4.\n");
return;
} else {
self::write(" okay PHP's deprecated 'safe_mode' is disabled.\n");
}
// NOTE: Also test this early since we can't include files from other
// libraries if this is set strictly.
$open_basedir = ini_get('open_basedir');
if ($open_basedir) {
// 'open_basedir' restricts which files we're allowed to access with
// file operations. This might be okay -- we don't need to write to
// arbitrary places in the filesystem -- but we need to access certain
// resources. This setting is unlikely to be providing any real measure
// of security so warn even if things look OK.
try {
phutil_require_module('phutil', 'utils');
$open_libphutil = true;
} catch (Exception $ex) {
$message = $ex->getMessage();
self::write("Unable to load modules from libphutil: {$message}\n");
$open_libphutil = false;
}
try {
phutil_require_module('arcanist', 'workflow/base');
$open_arcanist = true;
} catch (Exception $ex) {
$message = $ex->getMessage();
self::write("Unable to load modules from Arcanist: {$message}\n");
$open_arcanist = false;
}
$open_urandom = @fopen('/dev/urandom', 'r');
if (!$open_urandom) {
self::write("Unable to open /dev/urandom!\n");
}
try {
$tmp = new TempFile();
file_put_contents($tmp, '.');
$open_tmp = @fopen((string)$tmp, 'r');
} catch (Exception $ex) {
$message = $ex->getMessage();
$dir = sys_get_temp_dir();
self::write("Unable to open temp files from '{$dir}': {$message}\n");
$open_tmp = false;
}
if (!$open_urandom || !$open_tmp || !$open_libphutil || !$open_arcanist) {
self::writeFailure();
self::write(
"Setup failure! Your server is configured with 'open_basedir' in ".
"php.ini which prevents Phabricator from opening files it needs to ".
"access. Either make the setting more permissive or remove it. It ".
"is unlikely you derive significant security benefits from having ".
"this configured; files outside this directory can still be ".
"accessed through system command execution.");
return;
} else {
self::write(
"[WARN] You have an 'open_basedir' configured in your php.ini. ".
"Although the setting seems permissive enough that Phabricator ".
"will run properly, you may run into problems because of it. It is ".
"unlikely you gain much real security benefit from having it ".
"configured, because the application can still access files outside ".
"the 'open_basedir' by running system commands.\n");
}
} else {
self::write(" okay 'open_basedir' is not set.\n");
}
self::write("[OKAY] Core configuration OKAY.\n");
self::writeHeader("REQUIRED PHP EXTENSIONS"); self::writeHeader("REQUIRED PHP EXTENSIONS");
$extensions = array( $extensions = array(
'mysql', 'mysql',
@ -163,6 +250,22 @@ class PhabricatorSetup {
} }
} }
$timezone = nonempty(
PhabricatorEnv::getEnvConfig('phabricator.timezone'),
ini_get('date.timezone'));
if (!$timezone) {
self::writeFailure();
self::write(
"Setup failure! Your configuration fails to specify a server ".
"timezone. Either set 'date.timezone' in your php.ini or ".
"'phabricator.timezone' in your Phabricator configuration. See the ".
"PHP documentation for a list of supported timezones:\n\n".
"http://us.php.net/manual/en/timezones.php\n");
return;
} else {
self::write(" okay Timezone '{$timezone}' configured.\n");
}
self::write("[OKAY] Basic configuration OKAY\n"); self::write("[OKAY] Basic configuration OKAY\n");
@ -372,12 +475,19 @@ class PhabricatorSetup {
$local_key = 'storage.local-disk.path'; $local_key = 'storage.local-disk.path';
$local_path = PhabricatorEnv::getEnvConfig($local_key); $local_path = PhabricatorEnv::getEnvConfig($local_key);
if ($local_path) { if ($local_path) {
if (!Filesystem::pathExists($local_path) || !is_writable($local_path)) { if (!Filesystem::pathExists($local_path) ||
!is_readable($local_path) ||
!is_writable($local_path)) {
self::writeFailure(); self::writeFailure();
self::write( self::write(
"Setup failure! You have configured local disk storage but the ". "Setup failure! You have configured local disk storage but the ".
"path you specified ('{$local_path}') does not exist or is not ". "path you specified ('{$local_path}') does not exist or is not ".
"writable.\n"); "readable or writable.\n");
if ($open_basedir) {
self::write(
"You have an 'open_basedir' setting -- make sure Phabricator is ".
"allowed to open files in the local storage directory.\n");
}
return; return;
} else { } else {
self::write(" okay Local disk storage exists and is writable.\n"); self::write(" okay Local disk storage exists and is writable.\n");

View file

@ -13,6 +13,7 @@ phutil_require_module('phabricator', 'storage/connection/mysql');
phutil_require_module('phabricator', 'storage/queryfx'); phutil_require_module('phabricator', 'storage/queryfx');
phutil_require_module('phutil', 'filesystem'); phutil_require_module('phutil', 'filesystem');
phutil_require_module('phutil', 'filesystem/tempfile');
phutil_require_module('phutil', 'future/exec'); phutil_require_module('phutil', 'future/exec');
phutil_require_module('phutil', 'moduleutils'); phutil_require_module('phutil', 'moduleutils');
phutil_require_module('phutil', 'parser/uri'); phutil_require_module('phutil', 'parser/uri');