Topic: SME 5.1.2 and phpSysInfo

[Timothee]

Hi,

Some of my friends updated their server from SME 5 to SME 5.1.2 but now phpsysinfo doens't display the information properly

Does anyone know how this can be? What is changed to php in the newest SME release?

TIA,

Timothée

[Luke Drumm]

It's due to the new security features found in PHP v4.
You can find instructions on how to disable it at:
http://forums.contribs.org/index.php?topic=12706.msg47725#msg47725

Regards,
Luke

[Timothee]

Thanks, I'll give it a try!

Timothée

[Chaloner Hale]

It works just fine in primary, but does not work in ibays.

Chaloner Hale

[Timothee]

And that's exactly what I don't understand...I cannot call this a nice feature that php doesn't work well in ibays...I use the primary ibay, but also a lot of extra ibays with php content.

[Rich Lafferty]

The primary iBay is intended to be the server's main website,
while other ibays are intended to be, well, ibays -- file
storage areas and websites for groups of users. That's why PHP
behaves differently in them.

Essentially, the previous PHP configuration was a security
breach waiting to happen -- any PHP program put into a
PHP-enabled ibay by a user had read access to anything
the webserver could read, including ibays that that user
didn't have permission to read. To tighten up security
meant futzing with the PHP configuration.

Since our target end-users are not experienced system
administrators, 5.1.2 ships with a more secure PHP configuration
on ibays by default, and requires that one explicitly
*let* a program access the rest of the filesystem, rather
than forcing one to *forbid* it. In other words, it works
better out of the box now, and for the more complex cases
which involve installing software by hand one must also
tweak the PHP configuration by hand.

Cheers,

--Rich

[Timothee]

Well Rich,

I fully agree with you about the security risks of the previous php config and about the fact that your target end-users are not experienced system administrators.

I don't agree with this: "In other words, it works
better out of the box now,"

That should be: "In other words, it is safer now out of the box"

I cannot call it better when I upgrade and my CMS or phpforum don't work anymore without modding the configuration. I use the ibays for subdomains/virtual domains, so my forum is in an optional ibay linked by a subdomain (pretty easy and pretty simple and not that weird I guess).

I'm not sure if you reported this change anywhere (I still didn't read the new manual of SME 5.1.2), but I think it would be worth to do so because a lot of, particularly, home users don't know what happens to them when something doesn't work after a simple upgrade.
You then think that there went something wrong with upgrading and maybe going to try a lot of stupid things and end up with a real mess.

But...I already heard of those who had this phpsysinfo problem that it works after following the instructions Luke Drumm pointed us to, so problem solved I would say

Regards,

Timothée

[Mathieu Paonessa]

Here is the answert I got from bugs@e-smith.org:

--------------------
Hi Mathieu,

On Thu, 31 Jan 2002 23:31:33 -0500
"Mathieu Paonessa" wrote:

> Hi,
>
> It looks like there's a bug on php inside ibays:
> If I put "execution of dynamic content = enabled" on the manager, my
> php scripts (phpSysInfo for example) don't work but if I execute the
> same scripts on "primary", they work.


  Unfortunetly your report does not contain any specific evidence which
  suggests that there is, in fact, a problem.
 
  Mitel offers 24x7 technical support with SME Server to Mitel
  Networks Authorized Partners and supported customers. If wish you
  would like to purchase SME Server with ServiceLink, please contact
  your local Mitel Networks SME Server Authorized Partner; our
  partners are listed at
   
     http://www.e-smith.com/partner
 
  If you would prefer to use the free, open-source SME Server, we
  provide peer-support bulletin boards at
 
     http://www.e-smith.org/bboard/
 
  Someone there may have already asked your question; if not, you can
  post it and other SME Server users may be able to answer.  We also
  recommend reviewing the online manual and Frequently Asked Questions
  (FAQs) pages before posting to the bulletin boards.
 
     http://www.e-smith.org/faq/
     http://www.e-smith.org/docs/manual/

Regards,


--
Chris Houle                        chris_houle@mitel.com
Mitel Networks Corporation         http://www.mitel.com
Network Server Solutions Group     http://www.e-smith.com
Toll Free (North America) +1 888 ESMITH 1


------------------------

Can you believe that it took them 1 week to answer me with a stupid generic message?

Mathieu

[Timothee]

Seems they hide something...they know very well what has changed, so why isn't it told to you?? Simply because you have to pay for support or have to take a look at this forum. Not very friendly I think...I guess it was not very hard to give you an answer as "yes there are some php configuration changes in the newest SME release, but please search the support forum for more info about this issue"..that would be far more fair to you and to us users in general.

When I enable dynamic content in an ibay, I suspect it to work without having to change anything else. Or it has to be mentioned in the manual, then I know what this "problem" causes....so this whole issue is more about incomplete information-supply to us customers instead of a bug in SME.

P.S. No flame intended

[Rich Lafferty]

If we're hiding it, we're not doing very well, since I just
explained the change to you. In Mathieu's case, the support
representative *didn't* know what had changed. As in any organization, the people answering support mail are not the
people making development decisions for the software, and
absent mindreading techniques, information doesn't always
filter down in time.

The change was accidentally omitted from the users' guide, and
we were unaware of that omission until Mathieu submitted
a report to bugs@e-smith.com (which, by the way, is where
all reports of bugs with the software should go; we're
sure to read it there, but we may not find it on the forums.)

If you prefer to think of it as a conspiracy to prevent you
from getting your work done, you're welcome to do so, I
suppose, although I'm not sure what benefit it brings. You
know that the behavior has changed, why it has changed,
and how to restore the behavior you expect, so I really
can't understand what more is needed.

I noticed you say you are a customer of ours; I'd
encourage you in future to use the support channel provided
to you in your contract with us or with your Authorized
Partner in order to ensure timely support. We make no
guarantee that Mitel representatives will see your post
on these forums.

> P.S. No flame intended

If you had intended to be constructive, I'm afraid I've
entirely missed your point.

--Rich

[Rob Hillis]

Timothee wrote:

> Seems they hide something...they know very well what has
> changed, so why isn't it told to you?? Simply because you
> have to pay for support or have to take a look at this forum.
> Not very friendly I think...I guess it was not very hard to
> give you an answer as "yes there are some php configuration
> changes in the newest SME release, but please search the
> support forum for more info about this issue"..that would be
> far more fair to you and to us users in general.

To be fair to Mitel, it was not exactly a very comprehensive bug report.  It did not include specific error messages that
were being received, nor did it say what steps (other than moving it to the primary site) were taken to try to pinpoint
the problem.

I've submitted several bug reports to Mitel in the past and when I've done more than say "there's a problem" I've never
had a problem in getting assistance from them in order to find and squash the bug.

> When I enable dynamic content in an ibay, I suspect it to
> work without having to change anything else. Or it has to be
> mentioned in the manual, then I know what this "problem"
> causes....so this whole issue is more about incomplete
> information-supply to us customers instead of a bug in SME.

If the PHP script is well written and does not attempt alter or access things outside it's own space, then PHP inside
ibays work just fine.  I run a PHP powered site that generates dog pedigrees from a MySQL database that works just fine
under the new configuration without alteration, as does myPHPAdmin.

I'm all for Mitel trying to close as many security holes as possible.  Sometimes this will result in unintentionally
breaking badly written scripts (or scripts which attempt to retrieve system information) but that's the price of
security.

[Timothee]

The script I use is written correctly, but it is a CMS system that changes information from my primary website in the primary ibay, that's why I got a problem with this new configuration.

And Rich, It really wasn't my intention to flame...I was only a little bit irritated by this configuration change which wasn't mentioned in the manual and the release notes...I know I can find every solution here or in the dev info list, but always want to try it myself
But...nevermind...the problem is fixed and I think it isn't worth our time to discuss this further.

Regards,

Timothée