Magento Forum

   
Time to ditch PEAR? 
 
SimpleHelixcom
Enthusiast
 
Avatar
Total Posts:  906
Joined:  2007-08-31
Huntsville, AL
 

I’ve posted a thread here:

http://www.magentocommerce.com/boards/viewthread/17951/

It explains why we may want to ditch PEAR once and for all.

Anybody second this notion?

 
Magento Community Magento Community
Magento Community
Magento Community
 
Sindre|ProperHost
Mentor
 
Avatar
Total Posts:  1155
Joined:  2008-04-24
 

While the PEAR downloader certainly is convenient, it does cause problems if Apache is configured to use suPHP. By editing the directives in /etc/suphp.conf you can prevent the Internal 500 Error from appearing, but then again leaving your files at risk (world-writable).

These are the values that must be edited:

allow_file_group_writeable=false
allow_file_others_writeable=false
allow_directory_group_writeable=false
allow_directory_others_writeable=false

PS: I would not recommend setting these values to true as it defeats the purpose of suPHP. At least, be careful with the *others* permissions.

 
Magento Community Magento Community
Magento Community
Magento Community
 
Crucial
Enthusiast
 
Avatar
Total Posts:  770
Joined:  2007-11-07
Phoenix, AZ
 

@SH:

Do you run suPHP? I’m thinking back to the conversation we had yesterday (or maybe it was the day before) about Magento Connect and PEAR, and you mentioned the downloader would change all of your permissions. If the above post is true and you’re running suPHP, that would explain things, and really only point out two flaws in Magento Connect:

1. If you’re using suPHP, you will have permissions issues (does this apply to using SSH to upgrade, or only the web-based interface?)

2. If you’re in a non-suEXEC environment (e.g. PHP as an Apache module), you cannot use the web-based interface to upgrade Magento, but need to use SSH instead.

And if the above is true about you running suPHP, then I can see your point about at least the programmers doing a check to see what kind of environment they are in (inthewoods actually has a script to fix this), and if it happens to be suPHP, to do something different in regards to the permissions.

Alas, it seems the more ways we can run PHP, the harder it is for developers and the more issues that arise. It’s like what different browsers are to designers wink

 
Magento Community Magento Community
Magento Community
Magento Community
 
Sindre|ProperHost
Mentor
 
Avatar
Total Posts:  1155
Joined:  2008-04-24
 
Crucial - 19 September 2008 07:31 PM

@SH:

Do you run suPHP? I’m thinking back to the conversation we had yesterday (or maybe it was the day before) about Magento Connect and PEAR, and you mentioned the downloader would change all of your permissions. If the above post is true and you’re running suPHP, that would explain things, and really only point out two flaws in Magento Connect:

1. If you’re using suPHP, you will have permissions issues (does this apply to using SSH to upgrade, or only the web-based interface?)

I believe it only affects Magento Connect (the web interface). If you are using SSH, the web server would not need write permissions to the Magento folders/files.

Crucial - 19 September 2008 07:31 PM

@SH:
2. If you’re in a non-suEXEC environment (e.g. PHP as an Apache module), you cannot use the web-based interface to upgrade Magento, but need to use SSH instead.

And if the above is true about you running suPHP, then I can see your point about at least the programmers doing a check to see what kind of environment they are in (inthewoods actually has a script to fix this), and if it happens to be suPHP, to do something different in regards to the permissions.

This is not true. You can use the web-based interface if you are running mod_php. However, the files would need to be world-writable. The important thing is which user runs Apache and who is the owner of your files.

In a non-suPHP environment, Apache runs under ‘nobody’ and, obviously, you should own your own files. Hence, for any script to be able to write to file, it would need to be world-writable.

In suPHP the web server runs as the account owner, and only User/owner write permissions is required.

 
Magento Community Magento Community
Magento Community
Magento Community
 
SimpleHelixcom
Enthusiast
 
Avatar
Total Posts:  906
Joined:  2007-08-31
Huntsville, AL
 

This is not true. You can use the web-based interface if you are running mod_php. However, the files would need to be world-writable. The important thing is which user runs Apache and who is the owner of your files.

@sindre
And that is security hazard.

What it all comes down to is that Magento will just not suffice to work the same universally in all types of hosting platforms, just like what Crucial said about css showing differently in all different types of browsers… good analogy btw =)

And no, I do not run suPHP, it was a pain in the butt and so we had to come out with a modified suExec/suPHP environment residing in a chrooted setting. So all is fine over here but I’m just worried about the rest of the folks who keep flooding the Installation boards about their stack of problems with their hosting about installing and upgrading magento.

Case in point is mod_php. It was just fundamentally structured with poor security from the start. Whenever you have a script that runs as ‘apache’, you just have a big security hole at your hands. Good thing is mod_php is now fading away slowly but surely. But it is still the most widely used setting in the market right now.

I think I bring this up not for our company(and all other companies that uses suExec), but to all those other companies running mod_php in general. I can only imagine what one can do to cause havoc on their systems. I guess it’d be fun like watching fireworks but then again I do not want the image of Magento to go down as well *if* it strikes.

 
Magento Community Magento Community
Magento Community
Magento Community
 
Crucial
Enthusiast
 
Avatar
Total Posts:  770
Joined:  2007-11-07
Phoenix, AZ
 
Sindre|ProperHost - 19 September 2008 10:16 PM

This is not true. You can use the web-based interface if you are running mod_php. However, the files would need to be world-writable. The important thing is which user runs Apache and who is the owner of your files.

In a non-suPHP environment, Apache runs under ‘nobody’ and, obviously, you should own your own files. Hence, for any script to be able to write to file, it would need to be world-writable.

I don’t believe that’s true. We have a mix of PHP environments, some run in mod_php, some run as FastCGI. The ones in the DSO environment that try to upgrade submit tickets regarding this very thing, that after they upgrade, it tells them it’s been upgraded, but the versions don’t change. When I go in to look, it’s always a partial upgrade (regardless of the permissions). As soon as I run the upgrade command from SSH, it works fully.

SimpleHelix.com - 20 September 2008 12:50 AM

Case in point is mod_php. It was just fundamentally structured with poor security from the start. Whenever you have a script that runs as ‘apache’, you just have a big security hole at your hands. Good thing is mod_php is now fading away slowly but surely. But it is still the most widely used setting in the market right now.

I think that’s true for shared hosting, but if I were on a dedicated server, I would still be using mod_php because of it’s performance benefits. Look at it this way, mod_php is about 25-30% faster than suPHP is. When you start talking about an application like Magento, and adding additional server tweaks (MySQL query cache, opcode caching, mod_deflate, etc., etc.) that’s a very important factor.

At that level (dedicated), you can sacrifice the convenience and security for speed, because you’ve already eliminated a lot of potential security risks be removing the other users on the machine.

misteroriginal - 20 September 2008 04:39 AM

I can only imagine what one can do to cause havoc on their systems.

Yeah, it’s not the ideal solution for a shared environment, that’s for sure. My point still stands regarding someone in a dedicated environment.

 
Magento Community Magento Community
Magento Community
Magento Community
 
SimpleHelixcom
Enthusiast
 
Avatar
Total Posts:  906
Joined:  2007-08-31
Huntsville, AL
 

So..... *sigh*.... we need a solution, and possibly sooner the better.

We can have a fully compatibile “install/upgrade” that would work on all types of hosting platforms if we were to just use something like ftp.

We don’t need to get rid of PEAR, but we can have ftp as the main method of file transfer, in the Magento Downloader for those who uses it to install magento.

And I guess when it all comes down to it is, I just want to know if this is possible or even recommended by guys at Varien. There probably might be a good reason for why they chose PEAR instead of FTP but I don’t know if they thought about the compatibility problems they would have that we just discussed above. Any official word on this would be very appreciated.

 
Magento Community Magento Community
Magento Community
Magento Community
 
ShopGuy
Guru
 
Total Posts:  462
Joined:  2008-09-07
 

Not only that but we need a way to manually install extensions. Auto-installing extensions is bad practice because extensions can conflict with each other. Is there a way to download extensions (as in a .zip or .tar file)? Or is magento connect the only way?

 
Magento Community Magento Community
Magento Community
Magento Community
 
lisali
Enthusiast
 
Avatar
Total Posts:  888
Joined:  2008-04-28
London, UK
 

Another vote to ditch PEAR!

 
Magento Community Magento Community
Magento Community
Magento Community
Magento Community
Magento Community
    Back to top