System Advancements at the Monastery

PHP as a Module

Apr 21st, 2008 by John Gerber

“You don’t get harmony when everybody sings the same note.” — Doug Floyd

In the previous post, “PHP Implementation” we outlined three ways to implement PHP. In this first post, we will examine PHP as an Apache module. When PHP is used as a module, it inherits Apache’s user permissions. PHP basically is operating from within your web server. It starts only once, with the Apache server, loads its settings and extensions only once, and information is stored across sessions. The main advantage is speed.

The configuration, at minimum, will require letting PHP know where the Apache’s apxs tool resides. The apxs tool is a “tool for building and installing extension modules for the Apache HyperText Transfer Protocol (HTTP) server.” In other words, it is the interface between Apache and third-party modules.

For Mac OS X Leopard users, Leopard’s libtool creates php.dSYM instead of the php binary. Gcc calls dsymutil when it creates an executable directly from a source file with debugging enabled so the debugging information will be available. So, under normal libtool operations, .dSYM should only occurs if the object file (php) is temporary. Really old autoconfs fail to detect the correct exe extension and instead of ” set it to ‘.dSYM’. Not really sure what is going on with Leopard, since autoconf is up to date, but I do have a solution. Compile with the CFLAGS set it “-O2.” By doing so, you are not having the compiler turn on the -finline-functions, -funit-at-a-time and -frename-registers options. See GCC Command Options document section “4.10. Options That Control Optimization” for additional details on optimization options. Not sure why Leopard does not behave with higher optimization, but sometimes you have to do what works.

 /usr/local/src root# cd php-5.2.5
 /usr/local/src/php-5.2.5 root#  CC=gcc CFLAGS="-O2" ./configure --with-apxs2=/usr/local/apache/bin/apxs \
--prefix=/usr/local/apache/php

Before doing any installation, we need to modify the Apache configuration file to load PHP. Do this be adding the following lines to the /usr/local/apache/conf/httpd.conf file:

# Load the PHP module
LoadModule php5_module        modules/libphp5.so
# Associate file extensions with PHP
AddHandler application/x-httpd-php .php
AddHandler application/x-httpd-php .php3
AddHandler application/x-httpd-php .inc
AddHandler application/x-httpd-php .class
AddHandler application/x-httpd-php .module
#
DirectoryIndex index.html index.php

At this point, you are ready to make and install PHP. First, you will need to change the permission of the Apache instdso.sh since we were pretty restrictive of permissions in our Apache installation. After installing PHP, we will want to place a version of php.ini in /usr/local/apache/php/lib.

 /usr/local/src/php-5.2.5 root# chmod u+x  /usr/local/apache/build/instdso.sh
 /usr/local/src/php-5.2.5 root# make
 /usr/local/src/php-5.2.5 root# make install
 /usr/local/src/php-5.2.5 root# cp php.ini-recommended /usr/local/apache/php/lib/php.ini
 /usr/local/src/php-5.2.5 root# /usr/local/apache/bin/apachectl configtest

As with Apache, PHP has modules. In PHP documents frequently modules are called functions. Some functions can be considered dangerous and may be disabled. Examine which functions are compiled into PHP. Below is a table of functions that will be compiled in by default:

Module	Description
ctype	Character Type Functions
date	Date and Time
dom	DOM Extension
filter	Filter Functions
hash	hash Functions
iconv	Character set conversion module using IConv
json	JSON Functions
libxml
pcre	Perl compatible regular expression library
PDO	The PHP Data Objects (PDO) extension defines a lightweight, consistent interface for accessing databases in PHP
pdo_sqlite	PDO_SQLITE is a driver that implements the PHP Data Objects (PDO) interface to enable access to SQLite 3 databases
posix	Module for accessing POSIX system interface
Reflection	An object-oriented extension to the Zend Engine
session	HTTP session support
SimpleXML	Provides a very simple and easily usable toolset to convert XML to an object that can be processed with normal property selectors and array iterators
SPL	Standard PHP Library (SPL)
SQLite	Extension for the SQLite Embeddable SQL Database Engine
standard	A collection of interfaces and classes that are meant to solve standard problems
tokenizer	Tokenizer module
xml	Extensible Markup Language (XML) parser module
xmlreader	XML Pull parser
xmlwriter	Wraps the libxml xmlWriter API

The posix function may be used for reconnaissance exploits. If it is not required, you should disable it. For later work, we require it and will leave it enabled. For those wishing to disable it, do so through the use of the “–disable-posix” option to configure. The important point is to know what is required and choose both functions and configuration options accordingly. Do not enable everything because you may need it at some point. This is the incorrect thinking that many software packages, and operating systems, fall into. The more code, the more possible vulnerabilities that can be exploited.

We will be building on this implementation of PHP. We have several future requirements:

Module	Description
gd	GD library of image functions
mysql	Functions allow you to access MySQL database servers
sockets	Extension implements a low-level interface to the socket communication functions based on the popular BSD sockets, providing the possibility to act as a socket server as well as a client
zlib	Enables you to transparently read and write gzip (.gz) compressed files, through versions of most of the filesystem functions which work with gzip-compressed files (and uncompressed files, too, but not with sockets)

We add that functionality with the following configuration options:

–with-gd option will enable PHP to create and manipulate image files with the support of the GD library.
–with-mysql option will enable PHP access MySQL database servers.
–enable-sockets option enable socket functions.
–with-zlib option will enable the use of compression libraries.

Note: Versions of GD older than gd-1.6 support GIF format images, and do not support PNG. Version of GD greater than gd-1.6 and less than gd-2.0.28 support PNG, but not GIF. GIF support was re-enabled in gd-2.0.28. If you get complaints about graphic libraries missing, it is likely due to the version of GD installed.

Look at the modules/functions installed by default with PHP.

 /usr/local/src/php-5.2.5 root# /usr/local/apache/php/bin/php -m
[PHP Modules]
ctype
date
dom
filter
hash
iconv
json
libxml
pcre
PDO
pdo_sqlite
posix
Reflection
session
SimpleXML
SPL
SQLite
standard
tokenizer
xml
xmlreader
xmlwriter
[Zend Modules]

In the previous post, “Introduction to MySQL” MySQL was setup under the /usr/local/mysql directory. This directory will be used in this configuration to add MySQL support to PHP.

If you are compiling under Mac OS X, you should be familiar MacPorts (see posting “MacPorts Under Mac OS X Leopard“). Make sure the required libraries libjpeg, libpng, gd, and zlib are installed. The configuration of PHP requires the locations of these libraries be specified. All these libraries will be located under /opt/local.

There is an issue with Leopards iconv.h file (/usr/include/iconv.h) that can cause the error message “Undefined symbols” as the compiler complains about “_iconv_close, referenced from: _php_iconv_string in iconv.o.” This is caused by multiple iconv.h files on the system. Try moving the Leopard version of the iconv.h file and then linking it to the Macports version.

 /usr/local/src/php-5.2.5 root# mv /usr/include/iconv.h \
/usr/include/iconv.h.leo_orig
 /usr/local/src/php-5.2.5 root# ln -s /opt/local/include/iconv.h \
/usr/include/iconv.h
 /usr/local/src/php-5.2.5 root# make clean
 /usr/local/src/php-5.2.5 root# CC=gcc CFLAGS="-O2 -fno-omit-frame-pointer" \
CXX=gcc CXXFLAGS="-O2 -fno-omit-frame-pointer -felide-constructors \
-fno-exceptions -fno-rtti" ./configure --with-apxs2=/usr/local/apache/bin/apxs \
--prefix=/usr/local/apache/php --enable-sockets --with-gd --with-mysql=/usr/local/mysql \
--with-zlib-dir=/opt/local --with-jpeg-dir=/opt/local --with-png-dir=/opt/local
 /usr/local/src/php-5.2.5 root# make
 /usr/local/src/php-5.2.5 root# make test
 /usr/local/src/php-5.2.5 root# make install

Under Linux, these libraries will be installed as RPMs under the /usr area. The configuration would be slightly different:

 /usr/local/src/php-5.2.5 root# make clean
 /usr/local/src/php-5.2.5 root# CC=gcc CFLAGS="-O3 -fno-omit-frame-pointer" \
CXX=gcc CXXFLAGS="-O3 -fno-omit-frame-pointer -felide-constructors \
-fno-exceptions -fno-rtti" ./configure --with-apxs2=/usr/local/apache/bin/apxs \
--prefix=/usr/local/apache/php --enable-sockets --with-gd --with-mysql=/usr/local/mysql \
--with-zlib-dir=/usr --with-jpeg-dir=/usr --with-png-dir=/usr
 /usr/local/src/php-5.2.5 root# make
 /usr/local/src/php-5.2.5 root# make test
 /usr/local/src/php-5.2.5 root# make install

Copy the PHP configuration file to the expected location and test the Apache configuration file.

 /usr/local/src/php-5.2.5 root# cp php.ini-recommended /usr/local/apache/php/lib/php.ini
 /usr/local/src/php-5.2.5 root# /usr/local/apache/bin/apachectl configtest
 /usr/local/src/php-5.2.5 root# /usr/local/apache/bin/apachectl start

To test if it worked, create a file /var/www/htdocs/index.php containing the lines:

< ?php
phpinfo();
?>

Access the index.php file through your web browser by going to “http://127.0.0.1/index.php” and you should see a bunch of information concerning your PHP setup. Remove the file.

 /usr/local/src/php-5.2.5 root# /usr/local/apache/bin/apachectl stop
 /usr/local/src/php-5.2.5 root# /bin/rm /var/www/htdocs/index.php

The Apache server can now serve up PHP files. Remember, PHP is running with the same file permission as the Apache server. Some important changes need to be made to the php.ini file. Please see the posting, “PHP Configuration Modifications.”