open_basedir用于php作为FastCGI运行 - open_basedir for php running as FastCGI

我已经安装了Apache和php作为fastcgi模块

root@company# apt-get install apache2 apache2-suexec libapache2-mod-fcgid php5-cgi
root@company# dpkg-query -l '*apache2*' 
Desired=Unknown/Install/Remove/Purge/Hold 
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend 
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) 
||/ Name                           Version                        Description 
+++-==============================-==============================-============================================================================ 
ii  apache2              2.2.20-1ubuntu1.2         Apache HTTP Server metapackage 
ii  apache2-mpm-worker   2.2.20-1ubuntu1.2         Apache HTTP Server - high speed threaded model 
ii  apache2-suexec       2.2.20-1ubuntu1.2  Standard suexec program for Apache 2 mod_suexec 
ii  apache2-utils        2.2.20-1ubuntu1.2         utility programs for webservers 
ii  apache2.2-bin        2.2.20-1ubuntu1.2         Apache HTTP Server common binary files 
ii  apache2.2-common     2.2.20-1ubuntu1.2         Apache HTTP Server common files 
ii  libapache2-mod-fcgid 1:2.3.6-1+squeeze1build0.11.10 an alternative module compat with mod_fastcgi 
root@company# dpkg-query -l '*php*' 
Desired=Unknown/Install/Remove/Purge/Hold 
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend 
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) 
||/ Name                              Version                           Description 
+++-=================================-=================================-================================================================================== 
un  php-pear                    <none>                         (no description available) 
ii  php5-cgi  5.3.6-13ubuntu3.7  server-side, HTML-embedded scripting language (CGI binary) 
ii  php5-common     5.3.6-13ubuntu3.7  Common files for packages built from the php5 source 
un  php5-json                  <none>                            (no description available) 
un  php5-mhash                 <none>                            (no description available) 
un  php5-suhosin               <none>                            (no description available) 
un  phpapi-20090626            <none>                            (no description available) 
root@company# dpkg-query -l '*fcgi*' 
Desired=Unknown/Install/Remove/Purge/Hold 
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend 
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) 
||/ Name                              Version                           Description 
+++-=================================-=================================-================================================================================== 
ii  libapache2-mod-fcgid 1:2.3.6-1+squeeze1build0.11.10.1  an alternative module compat with mod_fastcgi

现在，我意识到我不能在我的虚拟主机中使用这个命令:

php_admin_value open_basedir "/var/www/users/test"

典型的虚拟主机文件:

<VirtualHost *:80>
 ServerName test
 ServerAlias test
 ServerAdmin webmaster@test.com
 DocumentRoot /var/www/users/test/public_html/
<IfModule mod_fcgid.c>
 SuexecUserGroup test test
 <Directory /var/www/users/test/public_html/>
 Options +ExecCGI
 Options -Indexes
 AllowOverride None
 AddHandler fcgid-script .php
 FCGIWrapper /var/www/system/test/php-fcgi-starter .php
 Order allow,deny
 Allow from all
 </Directory>
</IfModule>
 # ErrorLog /var/log/apache2/error.log
 # CustomLog /var/log/apache2/access.log combined
 ServerSignature Off
</VirtualHost>

1)关于如何启用open_basedir并允许我的用户更改我在其家中定义的php.ini(例如/var/www/users/test)的任何想法。用户不应该修改我的值，即使他试图编辑php.ini。

这可能吗?或者，我应该忘记所有用户对php.ini的用户访问权限，并一次性更改他的php.ini(我可以通过简单地重新定位它来做到这一点——您知道，在这样的设置中有一个fcgid包装器脚本)

2)如果有人能给我一些重定向所有请求的Apache2指令，我将不胜感激:

http://www.test.com/a/new/post

到这个内部:

http://www.test.com/index.php?a/new/post

下面的命令不起作用——应该给出一些参数:

RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} -s [OR]
RewriteCond %{REQUEST_FILENAME} -l [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^.*$ - [NC,L]
RewriteRule ^.*$ index.php [NC,L]

(不，我不想允许。htaccess文件，因为速度的原因)

谢谢!

对问题(2)的评论:我注意到<Directory>节中的这个指令实现了我需要的:

RewriteEngine On
RewriteBase /
RewriteRule ^(.*)$ index.php?$1 [NC,L,QSA]

但是在

显示PHP图像时表现得很奇怪

<?php
phpinfo();
?>

此图像在回显文件中的链接为

<img border="0" src="/info.php?=PHPE9568F34-D428-11d2-A769-00AA001ACF42" alt="PHP Logo" />

任何想法?

与问题(2)相关:看起来这些指令真的很神奇(见里面和后面的注释)

<VirtualHost *:80>
 ServerName test
 ServerAlias test
 ServerAdmin webmaster@test.com
 DocumentRoot /var/www/users/test/public_html/
 #the next line should be removed in production
 RewriteLog /var/www/users/test/public_html/rewrite.log
 RewriteLogLevel 9
<IfModule mod_fcgid.c>
 SuexecUserGroup test test
 <Directory /var/www/users/test/public_html/>
 Options +ExecCGI
 Options -Indexes
 AllowOverride None
 AddHandler fcgid-script .php
 FCGIWrapper /var/www/system/test/php-fcgi-starter .php
 Order allow,deny
 Allow from all
 RewriteEngine On
 #next line introduces some behavior, see comment (1)
 #RewriteBase /
 #redirect non-existent files or, redirect existent
 #files with the execute bit set, see comment (2)
 RewriteCond %{REQUEST_FILENAME} !-f [OR]
 RewriteCond %{REQUEST_FILENAME} -x
 #under the above dir ("/var/www/users/test/public_html/")
 #there is a "php/tests/testApache.php" that catches all requests
 #for non-existent files or for executables,
 #L=last, NC=case-insensitive, NE=no hexcode escaping of the request uri
 #QSA=append query string from the original request uri to the resulted string
 RewriteRule ^/?(.*)$ php/tests/testApache.php?$1 [NC,NE,L,QSA]
 </Directory>
</IfModule>
 #the next 2 lines should be removed in production
 ErrorLog /var/www/users/test/public_html/error.log
 CustomLog /var/www/users/test/public_html/access.log combined
 ServerSignature Off
</VirtualHost>

注释(1):通过调查我们的"rewrite.log"文件，我们在删除时间，sid, rid字段后看到了这些差异

root@localhost# diff 1.txt 2.txt
8,10c8
< 127.0.0.1 - - [22/Mar/2013: +0200] [test/sid#][rid#/initial] (2) [perdir /var/www/users/test/public_html/] trying to replace prefix 
/var/www/users/test/public_html/ with /
< 127.0.0.1 - - [22/Mar/2013: +0200] [test/sid#][rid#/initial] (5) strip matching prefix: /var/www/users/test/public_html/php/tests/te
stApache.php -> php/tests/testApache.php
< 127.0.0.1 - - [22/Mar/2013: +0200] [test/sid#][rid#/initial] (4) add subst prefix: php/tests/testApache.php -> /php/tests/testApache
.php
---
> 127.0.0.1 - - [22/Mar/2013: +0200] [test/sid#][rid#/initial] (2) [perdir /var/www/users/test/public_html/] strip document_root prefi
x: /var/www/users/test/public_html/php/tests/testApache.php -> /php/tests/testApache.php

左侧部分(1.txt)在虚拟主机中带有RewriteBase /。

comment (2):通过重定向不存在的文件，我们所有的图像，.css， .js， .htm*文件工作，只要资源的路径与文档根(在这些虚拟主机是"/var/www/users/test/public_html/")比较。因此，测试图像写入:

echo '<img src="/wallpaper-10.jpg" alt="Christmas">';

，它位于"/var/www/users/test/public_html/wallpaper-10.jpg"。

仍在等待问题(1)…