Linux Enterprise Sci-Fi: Scripts &... (Spanish Edition)

LINUX ENTERPRISE SCI-FI#}#}#}#### Dictionary server settings### Dictionary can be used by some plugins to storekey=value lists.# Currently this is only used by dict quota backend. Thedictionary can be# used either directly or though a dictionary server. Thefollowing dict block# maps dictionary names to URIs when the server isused. These can then be# referenced using URIs in format \"proxy:<name>\".dict { #quota = mysql:/etc/dovecot-dict-quota.conf}#### Plugin settings##plugin { # Here you can give some extra environment variablesto mail processes. # This is mostly meant for passing parameters toplugins. %variable # expansion is done for all values. # Quota plugin. Multiple backends are supported: # dirsize: Find and sum all the files found from maildirectory. # Extremely SLOW with Maildir. It'll eat yourCPU and disk I/O. # dict: Keep quota stored in dictionary (eg. SQL) # maildir: Maildir++ quota # fs: Read-only support for filesystem quota #quota = maildir 91

ESTEBAN HERRERA quota = maildir:storage=1000000:messages=1000 # ACL plugin. vfile backend reads ACLs from \"dovecot-acl\" file from maildir # directory. You can also optionally give a global ACLdirectory path where # ACLs are applied to all users' mailboxes. The globalACL directory contains # one file for each mailbox, eg. INBOX or sub.mailbox. #acl = vfile:/etc/dovecot-acls # Convert plugin. If set, specifies the source storagepath which is # converted to destination storage (mail_location) whenthe user logs in. # The existing mail directory is renamed to <dir>-converted. #convert_mail = mbox:%h/mail # Skip mailboxes which we can't open successfullyinstead of aborting. #convert_skip_broken_mailboxes = no # Trash plugin. When saving a message would makeuser go over quota, this # plugin automatically deletes the oldest mails fromconfigured mailboxes # until the message can be saved within quota limits.The configuration file # is a text file where each line is in format: <priority><mailbox name> # Mails are first deleted in lowest -> highest prioritynumber order #trash = /etc/dovecot-trash.conf # Lazy expunge plugin. Currently works only withmaildirs. When a user # expunges mails, the mails are moved to a mailbox inanother namespace # (1st). When a mailbox is deleted, the mailbox ismoved to another namespace # (2nd) as well. Also if the deleted mailbox had anyexpunged messages, 92

LINUX ENTERPRISE SCI-FI # they're moved to a 3rd namespace. The mails won'tbe counted in quota, # and they're not deleted automatically (use a cronjobor something). #lazy_expunge = .EXPUNGED/ .DELETED/.DELETED/.EXPUNGED/# New lines -- Esteban herrerasieve_global_path = /var/vmail/globalsieverc# End of new lines}/* ----------------------------- /etc/fail2ban/jail.conf------------------------------ */# Fail2Ban configuration file.## This file was composed for Debian systems from theoriginal one# provided now under/usr/share/doc/fail2ban/examples/jail.conf# for additional examples.## To avoid merges during upgrades DO NOT MODIFYTHIS FILE# and rather provide your changes in/etc/fail2ban/jail.local## Author: Yaroslav O. Halchenko<[email protected]>## $Revision: 281 $## The DEFAULT allows a global definition of the options.They can be override# in each jail afterwards.[DEFAULT]# \"ignoreip\" can be an IP address, a CIDR mask or a DNShostignoreip = 127.0.0.1 93

ESTEBAN HERRERAbantime = 600maxretry = 3# \"backend\" specifies the backend used to get filesmodification. Available# options are \"gamin\", \"polling\" and \"auto\".# yoh: For some reason Debian shipped python-gamindidn't work as expected# This issue left ToDo, so polling is default backendfor nowbackend = polling## Destination email address used solely for theinterpolations in# jail.{conf,local} configuration files.destemail = root@localhost## ACTIONS## Default banning action (e.g. iptables, iptables-new,# iptables-multiport, shorewall, etc) It is used to define# action_* variables. Can be overriden globally or per# section within jail.local filebanaction = iptables-multiport# email action. Since 0.8.1 upstream fail2ban usessendmail# MTA for the mailing. Change mta configurationparameter to mail# if you want to revert to conventional 'mail'.mta = sendmail# Default protocolprotocol = tcp## Action shortcuts. To be used to define action parameter# The simplest action to take: ban only 94

LINUX ENTERPRISE SCI-FIaction_ = %(banaction)s[name=%(__name__)s, port=\"%(port)s\", protocol=\"%(protocol)s]# ban & send an e-mail with whois report to thedestemail.action_mw = %(banaction)s[name=%(__name__)s,port=\"%(port)s\", protocol=\"%(protocol)s] %(mta)s-whois[name=%(__name__)s, dest=\"%(destemail)s\", protocol=\"%(protocol)s]# ban & send an e-mail with whois report and relevantlog lines# to the destemail.action_mwl = %(banaction)s[name=%(__name__)s,port=\"%(port)s\", protocol=\"%(protocol)s] %(mta)s-whois-lines[name=%(__name__)s,dest=\"%(destemail)s\", logpath=%(logpath)s]# Choose default action. To change, just override valueof 'action' with the# interpolation to the chosen action shortcut (e.g.action_mw, action_mwl, etc) in jail.local# globally (section [DEFAULT]) or per specific sectionaction = %(action_)s## JAILS## Next jails corresponds to the standard configuration inFail2ban 0.6 which# was shipped in Debian. Enable any defined here jail byincluding## [SECTION_NAME]# enabled = true## in /etc/fail2ban/jail.local.## Optionally you may override any other parameter (e.g.banaction, 95

ESTEBAN HERRERA# action, port, logpath, etc) in that section withinjail.local[ssh]enabled = trueport = sshfilter = sshdlogpath = /var/log/auth.logmaxretry = 6# Generic filter for pam. Has to be used with actionwhich bans all ports# such as iptables-allports, shorewall[pam-generic]enabled = false# pam-generic filter can be customized to monitorspecific subset of 'tty'sfilter = pam-generic# port actually must be irrelevant but lets leave it all forsome possible usesport = allbanaction = iptables-allportsport = anyportlogpath = /var/log/auth.logmaxretry = 6[xinetd-fail]enabled = falsefilter = xinetd-failport = allbanaction = iptables-multiport-loglogpath = /var/log/daemon.logmaxretry = 2[ssh-ddos]enabled = falseport = ssh 96

LINUX ENTERPRISE SCI-FIfilter = sshd-ddoslogpath = /var/log/auth.logmaxretry = 6## HTTP servers#[apache]enabled = falseport = http,httpsfilter = apache-authlogpath = /var/log/apache*/*error.logmaxretry = 6# default action is now multiport, so apache-multiportjail was left# for compatibility with previous (<0.7.6-2) releases[apache-multiport]enabled = falseport = http,httpsfilter = apache-authlogpath = /var/log/apache*/*error.logmaxretry = 6[apache-noscript]enabled = falseport = http,httpsfilter = apache-noscriptlogpath = /var/log/apache*/*error.logmaxretry = 6[apache-overflows]enabled = falseport = http,httpsfilter = apache-overflowslogpath = /var/log/apache*/*error.logmaxretry = 2 97

ESTEBAN HERRERA## FTP servers#[vsftpd]enabled = falseport = ftp,ftp-data,ftps,ftps-datafilter = vsftpdlogpath = /var/log/vsftpd.log# or overwrite it in jails.local to be# logpath = /var/log/auth.log# if you want to rely on PAM failed login attempts# vsftpd's failregex should match both of those formatsmaxretry = 6[proftpd]enabled = falseport = ftp,ftp-data,ftps,ftps-datafilter = proftpdlogpath = /var/log/proftpd/proftpd.logmaxretry = 6[wuftpd]enabled = falseport = ftp,ftp-data,ftps,ftps-datafilter = wuftpdlogpath = /var/log/auth.logmaxretry = 6## Mail servers#[postfix] 98

LINUX ENTERPRISE SCI-FIenabled = falseport = smtp,ssmtpfilter = postfixlogpath = /var/log/mail.log[couriersmtp]enabled = falseport = smtp,ssmtpfilter = couriersmtplogpath = /var/log/mail.log## Mail servers authenticators: might be used forsmtp,ftp,imap servers, so# all relevant ports get banned#[courierauth]enabled = falseport = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3sfilter = courierloginlogpath = /var/log/mail.log[sasl]enabled = falseport = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3sfilter = sasl# You might consider monitoring /var/log/warn.loginstead# if you are running postfix. Seehttp://bugs.debian.org/507990logpath = /var/log/mail.log# DNS Servers 99

ESTEBAN HERRERA# These jails block attacks against named (bind9). Bydefault, logging is off# with bind9 installation. You will need something likethis:## logging {# channel security_file {# file \"/var/log/named/security.log\" versions 3 size30m;# severity dynamic;# print-time yes;# };# category security {# security_file;# };# };## in your named.conf to provide proper logging# !!! WARNING !!!# Since UDP is connectionless protocol, spoofing of IPand immitation# of illegal actions is way too simple. Thus enabling ofthis filter# might provide an easy way for implementing a DoSagainst a chosen# victim. See# http://nion.modprobe.de/blog/archives/690-fail2ban-+-dns-fail.html# Please DO NOT USE this jail unless you know whatyou are doing.#[named-refused-udp]##enabled = false#port = domain,953#protocol = udp#filter = named-refused#logpath = /var/log/named/security.log[named-refused-tcp] 100

LINUX ENTERPRISE SCI-FIenabled = falseport = domain,953protocol = tcpfilter = named-refusedlogpath = /var/log/named/security.log/* -------------------------------------- /etc/logrotate.d/dovecot-deliver--------------------------------------- */ Nota: Este es el único archivo de logs para logroteque se ha creado manualmente, pero al final del proyectolos siguientes archivos se encuentran adicionalmente enel directorio /etc/logrotate/: apache2, apt, aptitude,clamav-daemon, clamav-freshclam, dpkg, exim4-base,exim4-paniclog, fail2ban, mysql-server, vsftpd. Se deberevisar para cada programa que instalamos si generalogs, donde los genera, si los podemos centralizar en/var/log/ a como lo hemos hecho durante todo el proyectoLE SF y estar al tanto de su crecimiento para crear omodificar una entrada con logrotate para comprimirlos yrotarlos. En ciertos casos como los logs de Apache2 sedebe tener cuidado de no rotar logs en la medida de loposible porque son usados para obtener datosestadísticos de las visitas en las webs y logrotate trata losgrupos de logs como una serpiente que se muerde lacola, sobre-escribiendo el primer archivo del grupocuando se llega al final del último en rotación. Se debenotar que el crecimiento de logs de servidor se disminuyeal tener un Cluster de servidores en máximadisponibilidad (HA) ya que las peticiones de los clientes ysus logs se distribuyen entre todos los servidores de lagranja. En ese caso la información estadística deberecuperarse de distintos puntos a como se explica en losvideos de los DVDs del cluster de Linux Enterprise Sci-Fi./var/vmail/dovecot-deliver.log {weeklyrotate 14compress}/* ------------------------------------- /etc/mysql/DISABLEDndb_mgmd.cnf 101

ESTEBAN HERRERA-------------------------------------- */ Nota: Este archivo es una configuración básica deMySQL Cluster 5.0. Queda pendiente agregarle la líneapara especificar el directorio, partición o disco deBACKUP de las bases de datos, a como se explica en losDVD de Cluster de Linux Enterprise Sci Fi. Para laversión de este archivo de MySQL Cluster 7.2 se puedeconsultar también la documentación oficial de Oracle®MySQL Cluster.[ndb_mgmd]hostname=192.168.1.200datadir=/home/my_cluster/ndb_dataNodeId=1[ndbd default]noofreplicas=2DataMemory=128MIndexMemory=64Mdatadir=/home/my_cluster/ndb_data[ndbd]hostname=192.168.1.200NodeId=3[ndbd]hostname=192.168.1.205NodeId=4[mysqld]hostname=192.168.1.200NodeId=50/* ----------------------- /etc/mysql/my.cnf------------------------ */## The MySQL database server configuration file.## You can copy this to one of:# - \"/etc/mysql/my.cnf\" to set global options,# - \"~/.my.cnf\" to set user-specific options.# 102

LINUX ENTERPRISE SCI-FI# One can use all long options that the programsupports.# Run program with --help to get a list of availableoptions and with# --print-defaults to see which it would actuallyunderstand and use.## For explanations see# http://dev.mysql.com/doc/mysql/en/server-system-variables.html# This will be passed to all mysql clients# It has been reported that passwords should beenclosed with ticks/quotes# escpecially if they contain \"#\" chars...# Remember to edit /etc/mysql/debian.cnf whenchanging the socket location.[client]port = 3306socket = /var/run/mysqld/mysqld.sock# Here is entries for some specific programs# The following values assume you have at least 32Mram# This was formally known as [safe_mysqld]. Bothversions are currently parsed.[mysqld_safe]socket = /var/run/mysqld/mysqld.socknice =0[mysqld]## * Basic Settings#user = mysqlpid-file = /var/run/mysqld/mysqld.pidsocket = /var/run/mysqld/mysqld.sockport = 3306basedir = /usrdatadir = /var/lib/mysqltmpdir = /tmp 103

ESTEBAN HERRERAlanguage = /usr/share/mysql/englishskip-external-locking## Instead of skip-networking the default is now to listenonly on# localhost which is more compatible and is not lesssecure.#bind-address = 127.0.0.1bind-address = 0.0.0.0## * Fine Tuning#key_buffer = 16Mmax_allowed_packet = 16Mthread_stack = 192Kthread_cache_size = 8# This replaces the startup script and checks MyISAMtables if needed# the first time they are touchedmyisam-recover = BACKUP#max_connections = 100#table_cache = 64#thread_concurrency = 10## * Query Cache Configuration#query_cache_limit = 1Mquery_cache_size = 16M## * Logging and Replication## Both location gets rotated by the cronjob.# Be aware that this log type is a performance killer.# As of 5.1 you can enable the log at runtime!#general_log_file = /var/log/mysql/mysql.log#general_log =1## Error logging goes to syslog due to/etc/mysql/conf.d/mysqld_safe_syslog.cnf.## Here you can see queries with especially long duration#log_slow_queries = /var/log/mysql/mysql-slow.log 104

LINUX ENTERPRISE SCI-FI#long_query_time = 2#log-queries-not-using-indexes## The following can be used as easy to replay backuplogs or for replication.# note: if you are setting up a replication slave, seeREADME.Debian about# other settings you may need to change.#server-id =1#log_bin = /var/log/mysql/mysql-bin.logexpire_logs_days = 10max_binlog_size = 100M#binlog_do_db = include_database_name#binlog_ignore_db = include_database_name## * InnoDB## InnoDB is enabled by default with a 10MB datafile in/var/lib/mysql/.# Read the manual for more InnoDB related options.There are many!## * Security Features## Read the manual, too, if you want chroot!# chroot = /var/lib/mysql/## For generating SSL certificates I recommend theOpenSSL GUI \"tinyca\".## ssl-ca=/etc/mysql/cacert.pem# ssl-cert=/etc/mysql/server-cert.pem# ssl-key=/etc/mysql/server-key.pem# --== Esteban edition on: 01-11-13 ==--default_table_type = NDBCLUSTERndbclusterndb-connectstring=192.168.1.200[mysql_cluster]ndb-connectstring=192.168.1.200 105

ESTEBAN HERRERA[mysqldump] = 16Mquickquote-namesmax_allowed_packet[mysql] # faster start of mysql but no tab#no-auto-rehashcompletition[isamchk] = 16Mkey_buffer## * IMPORTANT: Additional settings that can overridethose from this file!# The files must end with '.cnf', otherwise they'll beignored.#!includedir /etc/mysql/conf.d//* ----------------------------- /etc/network/interfaces------------------------------ */# This file describes the network interfaces available onyour system# and how to activate them. For more information, seeinterfaces(5).# The loopback network interfaceauto loiface lo inet loopback# The primary network interface#allow-hotplug eth0#iface eth0 inet static#address 192.168.1.205#broadcast 192.168.1.255#netmask 255.255.255.0#gateway 192.168.1.1#nameserver 192.168.1.1allow-hotplug eth1 106

LINUX ENTERPRISE SCI-FIiface eth1 inet staticaddress 192.168.1.206broadcast 192.168.1.255netmask 255.255.255.0gateway 192.168.1.1nameserver 192.168.1.1allow-hotplug eth2iface eth2 inet staticaddress 192.168.1.207broadcast 192.168.1.255netmask 255.255.255.0gateway 192.168.1.1nameserver 192.168.1.1allow-hotplug eth3iface eth3 inet staticaddress 192.168.1.208broadcast 192.168.1.255netmask 255.255.255.0gateway 192.168.1.1nameserver 192.168.1.1allow-hotplug eth4iface eth4 inet staticaddress 192.168.1.209broadcast 192.168.1.255netmask 255.255.255.0gateway 192.168.1.1nameserver 192.168.1.1# Next is the creation of the bridge interfaceauto br0iface br0 inet static address 192.168.1.205 netmask 255.255.255.0 broadcast 192.168.1.255 gateway 192.168.1.1 # dns-* options are implemented by resolvconf # package, if installed #dns-nameservers 193.168.1.1 107

ESTEBAN HERRERA #dns-search sytes.net pre-up /usr/sbin/tunctl -u xcapncrunchx -t tap0 pre-up ifconfig tap0 up #bridge_ports all tap0 bridge_ports eth0 bridge_maxwait 0 post-down ifconfig tap0 post-down tunctl -d tap0/* -------------------------------- /etc/network/interfacesBAK--------------------------------- */# This file describes the network interfaces available onyour system# and how to activate them. For more information, seeinterfaces(5).# The loopback network interfaceauto loiface lo inet loopback# The primary network interfaceallow-hotplug eth0iface eth0 inet dhcp/* ------------------------------- /etc/php5/apache2/php.ini-------------------------------- */[PHP];;;;;;;;;;;; WARNING ;;;;;;;;;;;;; This is the default settings file for new PHPinstallations.; By default, PHP installs itself with a configurationsuitable for; development purposes, and *NOT* for productionpurposes.; For several security-oriented considerations that shouldbe taken 108

LINUX ENTERPRISE SCI-FI; before going online with your site, please consultphp.ini-recommended; and http://php.net/manual/en/security.php.;;;;;;;;;;;;;;;;;;;; About php.ini ;;;;;;;;;;;;;;;;;;;;; This file controls many aspects of PHP's behavior. Inorder for PHP to; read it, it must be named 'php.ini'. PHP looks for it inthe current; working directory, in the path designated by theenvironment variable; PHPRC, and in the path that was defined in compiletime (in that order).; Under Windows, the compile-time path is the Windowsdirectory. The; path in which the php.ini file is looked for can beoverridden using; the -c argument in command line mode.;; The syntax of the file is extremely simple. Whitespaceand Lines; beginning with a semicolon are silently ignored (as youprobably guessed).; Section headers (e.g. [Foo]) are also silently ignored,even though; they might mean something in the future.;; Directives are specified using the following syntax:; directive = value; Directive names are *case sensitive* - foo=bar isdifferent from FOO=bar.;; The value can be a string, a number, a PHP constant(e.g. E_ALL or M_PI), one; of the INI constants (On, Off, True, False, Yes, No andNone) or an expression; (e.g. E_ALL & ~E_NOTICE), or a quoted string (\"foo\").;; Expressions in the INI file are limited to bitwise 109

ESTEBAN HERRERAoperators and parentheses:; | bitwise OR; & bitwise AND; ~ bitwise NOT; ! boolean NOT;; Boolean flags can be turned on using the values 1, On,True or Yes.; They can be turned off using the values 0, Off, False orNo.;; An empty string can be denoted by simply not writinganything after the equal; sign, or by using the None keyword:;; foo = ; sets foo to an empty string; foo = none ; sets foo to an empty string; foo = \"none\" ; sets foo to the string 'none';; If you use constants in your value, and these constantsbelong to a; dynamically loaded extension (either a PHP extension ora Zend extension),; you may only use these constants *after* the line thatloads the extension.;;;;;;;;;;;;;;;;;;;;;; About this file ;;;;;;;;;;;;;;;;;;;;; All the values in the php.ini-dist file correspond to thebuiltin; defaults (that is, if no php.ini is used, or if you deletethese lines,; the builtin defaults will be identical).;;;;;;;;;;;;;;;;;;;;; Language Options ;;;;;;;;;;;;;;;;;;;;;; Enable the PHP scripting language engine under 110

LINUX ENTERPRISE SCI-FIApache.engine = On; Enable compatibility mode with Zend Engine 1 (PHP4.x)zend.ze1_compatibility_mode = Off; Allow the <? tag. Otherwise, only <?php and <script>tags are recognized.; NOTE: Using short tags should be avoided whendeveloping applications or; libraries that are meant for redistribution, ordeployment on PHP; servers which are not under your control, because shorttags may not; be supported on the target server. For portable,redistributable code,; be sure not to use short tags.short_open_tag = On; Allow ASP-style <% %> tags.asp_tags = Off; The number of significant digits displayed in floatingpoint numbers.precision = 12; Enforce year 2000 compliance (will cause problemswith non-compliant browsers)y2k_compliance = On; Output buffering allows you to send header lines(including cookies) even; after you send body content, at the price of slowingPHP's output layer a; bit. You can enable output buffering during runtime bycalling the output; buffering functions. You can also enable outputbuffering for all files by; setting this directive to On. If you wish to limit the sizeof the buffer; to a certain size - you can use a maximum number of 111

ESTEBAN HERRERAbytes instead of 'On', as; a value for this directive (e.g., output_buffering=4096).output_buffering = Off; You can redirect all of the output of your scripts to afunction. For; example, if you set output_handler to\"mb_output_handler\", character; encoding will be transparently converted to thespecified encoding.; Setting any output handler automatically turns onoutput buffering.; Note: People who wrote portable scripts should notdepend on this ini; directive. Instead, explicitly set the output handlerusing ob_start().; Using this ini directive may cause problems unlessyou know what script; is doing.; Note: You cannot use both \"mb_output_handler\" with\"ob_iconv_handler\"; and you cannot use both \"ob_gzhandler\" and\"zlib.output_compression\".; Note: output_handler must be empty if this is set'On' !!!!; Instead you must use zlib.output_handler.;output_handler =; Transparent output compression using the zlib library; Valid values for this option are 'off', 'on', or a specificbuffer size; to be used for compression (default is 4KB); Note: Resulting chunk size may vary due to nature ofcompression. PHP; outputs chunks that are few hundreds bytes each asa result of; compression. If you prefer a larger chunk size forbetter; performance, enable output_buffering in addition.; Note: You need to use zlib.output_handler instead of thestandard; output_handler, or otherwise the output will be 112

LINUX ENTERPRISE SCI-FIcorrupted.zlib.output_compression = Off;zlib.output_compression_level = -1; You cannot specify additional output handlers ifzlib.output_compression; is activated here. This setting does the same asoutput_handler but in; a different order.;zlib.output_handler =; Implicit flush tells PHP to tell the output layer to flushitself; automatically after every output block. This isequivalent to calling the; PHP function flush() after each and every call to print()or echo() and each; and every HTML block. Turning this option on hasserious performance; implications and is generally recommended fordebugging purposes only.implicit_flush = Off; The unserialize callback function will be called (with theundefined class'; name as parameter), if the unserializer finds anundefined class; which should be instantiated.; A warning appears if the specified function is notdefined, or if the; function doesn't include/implement the missing class.; So only set this entry, if you really want to implementsuch a; callback-function.unserialize_callback_func=; When floats & doubles are serialized storeserialize_precision significant; digits after the floating point. The default value ensuresthat when floats; are decoded with unserialize, the data will remain thesame. 113

ESTEBAN HERRERAserialize_precision = 100; Whether to enable the ability to force arguments to bepassed by reference; at function call time. This method is deprecated and islikely to be; unsupported in future versions of PHP/Zend. Theencouraged method of; specifying which arguments should be passed byreference is in the function; declaration. You're encouraged to try and turn thisoption Off and make; sure your scripts work properly with it in order toensure they will work; with future versions of the language (you will receive awarning each time; you use this feature, and the argument will be passedby value instead of by; reference).allow_call_time_pass_reference = On;; Safe Mode;; NOTE: this is considered a \"broken\" security measure.; Applications relying on this feature will not recievefull; support by the security team. For more informationplease; see /usr/share/doc/php5-common/README.Debian.security;;safe_mode = Off; By default, Safe Mode does a UID compare check when; opening files. If you want to relax this to a GIDcompare,; then turn on safe_mode_gid.safe_mode_gid = Off; When safe_mode is on, UID/GID checks are bypassedwhen 114

LINUX ENTERPRISE SCI-FI; including files from this directory and its subdirectories.; (directory must also be in include_path or full path must; be used when including);safe_mode_include_dir =; When safe_mode is on, only executables located in thesafe_mode_exec_dir; will be allowed to be executed via the exec family offunctions.;safe_mode_exec_dir =; Setting certain environment variables may be apotential security breach.; This directive contains a comma-delimited list ofprefixes. In Safe Mode,; the user may only alter environment variables whosenames begin with the; prefixes supplied here. By default, users will only beable to set; environment variables that begin with PHP_ (e.g.PHP_FOO=BAR).;; Note: If this directive is empty, PHP will let the usermodify ANY; environment variable!safe_mode_allowed_env_vars = PHP_; This directive contains a comma-delimited list ofenvironment variables that; the end user won't be able to change using putenv().These variables will be; protected even if safe_mode_allowed_env_vars is set toallow to change them.safe_mode_protected_env_vars = LD_LIBRARY_PATH; open_basedir, if set, limits all file operations to thedefined directory; and below. This directive makes most sense if used in aper-directory; or per-virtualhost web server configuration file. Thisdirective is 115

ESTEBAN HERRERA; *NOT* affected by whether Safe Mode is turned On orOff.; NOTE: this is considered a \"broken\" security measure.; Applications relying on this feature will not recievefull; support by the security team. For more informationplease; see /usr/share/doc/php5-common/README.Debian.security;;open_basedir =;open_basedir = /var/www; This directive allows you to disable certain functions forsecurity reasons.; It receives a comma-delimited list of function names.This directive is; *NOT* affected by whether Safe Mode is turned On orOff.disable_functions =; This directive allows you to disable certain classes forsecurity reasons.; It receives a comma-delimited list of class names. Thisdirective is; *NOT* affected by whether Safe Mode is turned On orOff.disable_classes =; Colors for Syntax Highlighting mode. Anything that'sacceptable in; <span style=\"color: ???????\"> would work.;highlight.string = #DD0000;highlight.comment = #FF9900;highlight.keyword = #007700;highlight.bg = #FFFFFF;highlight.default = #0000BB;highlight.html = #000000 116

LINUX ENTERPRISE SCI-FI; If enabled, the request will be allowed to complete evenif the user aborts; the request. Consider enabling it if executing longrequest, which may end up; being interrupted by the user or a browser timing out.; ignore_user_abort = On; Determines the size of the realpath cache to be used byPHP. This value should; be increased on systems where PHP opens many files toreflect the quantity of; the file operations performed.; realpath_cache_size=16k; Duration of time, in seconds for which to cache realpathinformation for a given; file or directory. For systems with rarely changing files,consider increasing this; value.; realpath_cache_ttl=120;; Misc;; Decides whether PHP may expose the fact that it isinstalled on the server; (e.g. by adding its signature to the Web server header).It is no security; threat in any way, but it makes it possible to determinewhether you use PHP; on your server or not.;expose_php = On; <new line security reaons!>expose_php = Off;;;;;;;;;;;;;;;;;;;; Resource Limits ;;;;;;;;;;;;;;;;;;;;max_execution_time = 30 ; Maximum execution time ofeach script, in secondsmax_input_time = 60 ; Maximum amount of time each 117

ESTEBAN HERRERAscript may spend parsing request data;max_input_nesting_level = 64 ; Maximum input variablenesting levelmemory_limit = 128M ; Maximum amount of memorya script may consume (128MB);;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; Error handling and logging ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; error_reporting is a bit-field. Or each number up to getdesired error; reporting level; E_ALL - All errors and warnings (doesn't includeE_STRICT); E_ERROR - fatal run-time errors; E_RECOVERABLE_ERROR - almost fatal run-timeerrors; E_WARNING - run-time warnings (non-fatal errors); E_PARSE - compile-time parse errors; E_NOTICE - run-time notices (these are warningswhich often result; from a bug in your code, but it's possiblethat it was; intentional (e.g., using an uninitializedvariable and; relying on the fact it's automaticallyinitialized to an; empty string); E_STRICT - run-time notices, enable to have PHPsuggest changes; to your code which will ensure the bestinteroperability; and forward compatibility of your code; E_CORE_ERROR - fatal errors that occur duringPHP's initial startup; E_CORE_WARNING - warnings (non-fatal errors) thatoccur during PHP's; initial startup; E_COMPILE_ERROR - fatal compile-time errors; E_COMPILE_WARNING - compile-time warnings (non- 118

LINUX ENTERPRISE SCI-FIfatal errors); E_USER_ERROR - user-generated error message; E_USER_WARNING - user-generated warningmessage; E_USER_NOTICE - user-generated notice message;; Examples:;; - Show all errors, except for notices and codingstandards warnings;;error_reporting = E_ALL & ~E_NOTICE;; - Show all errors, except for notices;;error_reporting = E_ALL & ~E_NOTICE | E_STRICT;; - Show only errors;;error_reporting = E_COMPILE_ERROR|E_RECOVERABLE_ERROR|E_ERROR|E_CORE_ERROR;; - Show all errors except for notices and codingstandards warnings;error_reporting = E_ALL & ~E_NOTICE; Print out errors (as a part of the output). Forproduction web sites,; you're strongly encouraged to turn this feature off, anduse error logging; instead (see below). Keeping display_errors enabled ona production web site; may reveal security information to end users, such asfile paths on your Web; server, your database schema or other information.;; possible values for display_errors:;; Off - Do not display any errors; stderr - Display errors to STDERR (affects onlyCGI/CLI binaries!) 119

ESTEBAN HERRERA;;display_errors = \"stderr\";; stdout (On) - Display errors to STDOUT;display_errors = Off; Even when display_errors is on, errors that occurduring PHP's startup; sequence are not displayed. It's strongly recommendedto keep; display_startup_errors off, except for when debugging.display_startup_errors = Off; Log errors into a log file (server-specific log, stderr, orerror_log (below)); As stated above, you're strongly advised to use errorlogging in place of; error displaying on production web sites.;log_errors = Offlog_errors = On; Set maximum length of log_errors. In error_loginformation about the source is; added. The default is 1024 and 0 allows to not apply anymaximum length at all.log_errors_max_len = 1024; Do not log repeated messages. Repeated errors mustoccur in same file on same; line until ignore_repeated_source is set true.ignore_repeated_errors = Off; Ignore source of message when ignoring repeatedmessages. When this setting; is On you will not log errors with repeated messagesfrom different files or; source lines.ignore_repeated_source = Off; If this parameter is set to Off, then memory leaks willnot be shown (on 120

LINUX ENTERPRISE SCI-FI; stdout or in the log). This has only effect in a debugcompile, and if; error reporting includes E_WARNING in the allowed listreport_memleaks = On;report_zend_debug = 0; Store the last error/warning message in $php_errormsg(boolean).track_errors = Off; Disable the inclusion of HTML tags in error messages.; Note: Never use this feature for production boxes.;html_errors = Off; If html_errors is set On PHP produces clickable errormessages that direct; to a page describing the error or function causing theerror in detail.; You can download a copy of the PHP manual fromhttp://www.php.net/docs.php; and change docref_root to the base URL of your localcopy including the; leading '/'. You must also specify the file extension beingused including; the dot.; Note: Never use this feature for production boxes.;docref_root = \"/phpmanual/\";docref_ext = .html; String to output before an error message.;error_prepend_string = \"<font color=#ff0000>\"; String to output after an error message.;error_append_string = \"</font>\"; Log errors to specified file.;error_log = filename; Log errors to syslog (Event Log on NT, not valid inWindows 95).;error_log = syslog 121

ESTEBAN HERRERA;;;;;;;;;;;;;;;;;; Data Handling ;;;;;;;;;;;;;;;;;;;; Note - track_vars is ALWAYS enabled as of PHP 4.0.3; The separator used in PHP generated URLs to separatearguments.; Default is \"&\".;arg_separator.output = \"&amp;\"; List of separator(s) used by PHP to parse input URLsinto variables.; Default is \"&\".; NOTE: Every character in this directive is considered asseparator!;arg_separator.input = \";&\"; This directive describes the order in which PHPregisters GET, POST, Cookie,; Environment and Built-in variables (G, P, C, E & Srespectively, often; referred to as EGPCS or GPC). Registration is donefrom left to right, newer; values override older values.variables_order = \"EGPCS\"; Whether or not to register the EGPCS variables asglobal variables. You may; want to turn this off if you don't want to clutter yourscripts' global scope; with user data. This makes most sense when coupledwith track_vars - in which; case you can access all of the GPC variables through the$HTTP_*_VARS[],; variables.;; You should do your best to write your scripts so thatthey do not require; register_globals to be on; Using form variables as 122

LINUX ENTERPRISE SCI-FIglobals can easily lead; to possible security problems, if the code is not verywell thought of.; NOTE: applications relying on this feature will notrecieve full; support by the security team. For more informationplease; see /usr/share/doc/php5-common/README.Debian.security;register_globals = Off; Whether or not to register the old-style input arrays,HTTP_GET_VARS; and friends. If you're not using them, it's recommendedto turn them off,; for performance reasons.register_long_arrays = On; This directive tells PHP whether to declare theargv&argc variables (that; would contain the GET information). If you don't usethese variables, you; should turn it off for increased performance.register_argc_argv = On; When enabled, the SERVER and ENV variables arecreated when they're first; used (Just In Time) instead of when the script starts. Ifthese variables; are not used within a script, having this directive on willresult in a; performance gain. The PHP directives register_globals,register_long_arrays,; and register_argc_argv must be disabled for thisdirective to have any affect.auto_globals_jit = On; Maximum size of POST data that PHP will accept.post_max_size = 8M 123

ESTEBAN HERRERA; Magic quotes;; Magic quotes for incoming GET/POST/Cookie data.magic_quotes_gpc = On; Magic quotes for runtime-generated data, e.g. datafrom SQL, from exec(), etc.magic_quotes_runtime = Off; Use Sybase-style magic quotes (escape ' with '' insteadof \').magic_quotes_sybase = Off; Automatically add files before or after any PHPdocument.auto_prepend_file =auto_append_file =; As of 4.0b4, PHP always outputs a character encodingby default in; the Content-type: header. To disable sending of thecharset, simply; set it to be empty.;; PHP's built-in default is text/htmldefault_mimetype = \"text/html\";default_charset = \"iso-8859-1\"; Always populate the $HTTP_RAW_POST_DATA variable.;always_populate_raw_post_data = On;;;;;;;;;;;;;;;;;;;;;;;;;; Paths and Directories ;;;;;;;;;;;;;;;;;;;;;;;;;;; UNIX: \"/path1:/path2\";include_path = \".:/usr/share/php\"include_path =\".:/home/aestudio/public_html:/home/aestudio/include:/home/aestudio/include/classes\" 124

LINUX ENTERPRISE SCI-FI;; Windows: \"\path1;\path2\";include_path = \".;c:\php\includes\"; The root of the PHP pages, used only if nonempty.; if PHP was not compiled with FORCE_REDIRECT, youSHOULD set doc_root; if you are running php as a CGI under any web server(other than IIS); see documentation for security issues. The alternate isto use the; cgi.force_redirect configuration belowdoc_root =; The directory under which PHP opens the scriptusing /~username used only; if nonempty.user_dir =; Directory in which the loadable extensions (modules)reside.; extension_dir = \"./\"; Whether or not to enable the dl() function. The dl()function does NOT work; properly in multithreaded servers, such as IIS or Zeus,and is automatically; disabled on them.; NOTE: this is a potential security hole and is disabledby default in debianenable_dl = Off; cgi.force_redirect is necessary to provide securityrunning PHP as a CGI under; most web servers. Left undefined, PHP turns this on bydefault. You can; turn it off here AT YOUR OWN RISK; **You CAN safely turn this off for IIS, in fact, youMUST.**; cgi.force_redirect = 1; if cgi.nph is enabled it will force cgi to always sent 125

ESTEBAN HERRERAStatus: 200 with; every request.; cgi.nph = 1; if cgi.force_redirect is turned on, and you are notrunning under Apache or Netscape; (iPlanet) web servers, you MAY need to set anenvironment variable name that PHP; will look for to know it is OK to continue execution.Setting this variable MAY; cause security issues, KNOW WHAT YOU ARE DOINGFIRST.; cgi.redirect_status_env = ;; cgi.fix_pathinfo provides *real*PATH_INFO/PATH_TRANSLATED support for CGI. PHP's; previous behaviour was to set PATH_TRANSLATED toSCRIPT_FILENAME, and to not grok; what PATH_INFO is. For more information onPATH_INFO, see the cgi specs. Setting; this to 1 will cause PHP CGI to fix it's paths to conformto the spec. A setting; of zero causes PHP to behave as before. Default is 1.You should fix your scripts; to use SCRIPT_FILENAME rather thanPATH_TRANSLATED.; cgi.fix_pathinfo=0; FastCGI under IIS (on WINNT based OS) supports theability to impersonate; security tokens of the calling client. This allows IIS todefine the; security context that the request runs under.mod_fastcgi under Apache; does not currently support this feature (03/17/2002); Set to 1 if running under IIS. Default is zero.; fastcgi.impersonate = 1;; Disable logging through FastCGI connection; fastcgi.logging = 0; cgi.rfc2616_headers configuration option tells PHP 126

LINUX ENTERPRISE SCI-FIwhat type of headers to; use when sending HTTP response code. If it's set 0 PHPsends Status: header that; is supported by Apache. When this option is set to 1PHP will send; RFC2616 compliant header.; Default is zero.;cgi.rfc2616_headers = 0;;;;;;;;;;;;;;;;; File Uploads ;;;;;;;;;;;;;;;;;; Whether to allow HTTP file uploads.file_uploads = On; Temporary directory for HTTP uploaded files (will usesystem default if not; specified).;upload_tmp_dir =; Maximum allowed size for uploaded files.upload_max_filesize = 2M; Maximum number of files that can be uploaded via asingle requestmax_file_uploads = 50;;;;;;;;;;;;;;;;;;; Fopen wrappers ;;;;;;;;;;;;;;;;;;;; Whether to allow the treatment of URLs (like http:// orftp://) as files.;allow_url_fopen = On; Whether to allow include/require to open URLs (likehttp:// or ftp://) as files.allow_url_include = Off 127

ESTEBAN HERRERA; Define the anonymous ftp password (your emailaddress);from=\"[email protected]\"; Define the User-Agent string; user_agent=\"PHP\"; Default timeout for socket based streams (seconds)default_socket_timeout = 60; If your scripts have to deal with files from Macintoshsystems,; or you are running on a Mac and need to deal with filesfrom; unix or win32 systems, setting this flag will cause PHPto; automatically detect the EOL character in those files sothat; fgets() and file() will work regardless of the source ofthe file.; auto_detect_line_endings = Off;;;;;;;;;;;;;;;;;;;;;;; Dynamic Extensions ;;;;;;;;;;;;;;;;;;;;;;;;; If you wish to have an extension loaded automatically,use the following; syntax:;; extension=modulename.extension;; For example, on Windows:;; extension=msql.dll;; ... or under UNIX:;; extension=msql.so; 128

LINUX ENTERPRISE SCI-FI; Note that it should be the name of the module only; nodirectory information; needs to go here. Specify the location of the extensionwith the; extension_dir directive above.;;;;;;;;;;;;;;;;;;;; Module Settings ;;;;;;;;;;;;;;;;;;;;[Date]; Defines the default timezone used by the date functions;date.timezone =;date.default_latitude = 31.7667;date.default_longitude = 35.2333;date.sunrise_zenith = 90.583333;date.sunset_zenith = 90.583333[filter];filter.default = unsafe_raw;filter.default_flags =[iconv];iconv.input_encoding = ISO-8859-1;iconv.internal_encoding = ISO-8859-1;iconv.output_encoding = ISO-8859-1[sqlite];sqlite.assoc_case = 0[xmlrpc];xmlrpc_error_number = 0;xmlrpc_errors = 0[Pcre];PCRE library backtracking limit.;pcre.backtrack_limit=100000;PCRE library recursion limit. 129

ESTEBAN HERRERA;Please note that if you set this value to a high numberyou may consume all;the available process stack and eventually crash PHP(due to reaching the;stack size limit imposed by the Operating System).;pcre.recursion_limit=100000[Syslog]; Whether or not to define the various syslog variables(e.g. $LOG_PID,; $LOG_CRON, etc.). Turning it off is a good ideaperformance-wise. In; runtime, you can define these variables by callingdefine_syslog_variables().define_syslog_variables = Off[mail function]; For Win32 only.SMTP = localhostsmtp_port = 25; For Win32 only.;sendmail_from = [email protected]; For Unix only. You may supply arguments as well(default: \"sendmail -t -i\").;sendmail_path =; Force the addition of the specified parameters to bepassed as extra parameters; to the sendmail binary. These parameters will alwaysreplace the value of; the 5th parameter to mail(), even in safe mode.;mail.force_extra_parameters =[SQL]sql.safe_mode = Off[ODBC];odbc.default_db = Not yet implemented;odbc.default_user = Not yet implemented;odbc.default_pw = Not yet implemented 130

LINUX ENTERPRISE SCI-FI; Allow or prevent persistent links.odbc.allow_persistent = On; Check that a connection is still valid before reuse.odbc.check_persistent = On; Maximum number of persistent links. -1 means no limit.odbc.max_persistent = -1; Maximum number of links (persistent + non-persistent).-1 means no limit.odbc.max_links = -1; Handling of LONG fields. Returns number of bytes tovariables. 0 means; passthru.odbc.defaultlrl = 4096; Handling of binary data. 0 means passthru, 1 return asis, 2 convert to char.; See the documentation on odbc_binmode andodbc_longreadlen for an explanation; of uodbc.defaultlrl and uodbc.defaultbinmodeodbc.defaultbinmode = 1[MySQL]; Allow or prevent persistent links.mysql.allow_persistent = On; Maximum number of persistent links. -1 means no limit.mysql.max_persistent = -1; Maximum number of links (persistent + non-persistent).-1 means no limit.mysql.max_links = -1; Default port number for mysql_connect(). If unset,mysql_connect() will use; the $MYSQL_TCP_PORT or the mysql-tcp entry in/etc/services or the; compile-time value defined MYSQL_PORT (in that 131

ESTEBAN HERRERAorder). Win32 will only look; at MYSQL_PORT.mysql.default_port =; Default socket name for local MySQL connects. Ifempty, uses the built-in; MySQL defaults.mysql.default_socket =; Default host for mysql_connect() (doesn't apply in safemode).mysql.default_host =; Default user for mysql_connect() (doesn't apply in safemode).mysql.default_user =; Default password for mysql_connect() (doesn't apply insafe mode).; Note that this is generally a *bad* idea to storepasswords in this file.; *Any* user with PHP access can run 'echoget_cfg_var(\"mysql.default_password\"); and reveal this password! And of course, any users withread access to this; file will be able to reveal the password as well.mysql.default_password =; Maximum time (in seconds) for connect timeout. -1means no limitmysql.connect_timeout = 60; Trace mode. When trace_mode is active (=On),warnings for table/index scans and; SQL-Errors will be displayed.mysql.trace_mode = Off[MySQLi]; Maximum number of links. -1 means no limit.mysqli.max_links = -1 132

LINUX ENTERPRISE SCI-FI; Default port number for mysqli_connect(). If unset,mysqli_connect() will use; the $MYSQL_TCP_PORT or the mysql-tcp entry in/etc/services or the; compile-time value defined MYSQL_PORT (in thatorder). Win32 will only look; at MYSQL_PORT.mysqli.default_port = 3306; Default socket name for local MySQL connects. Ifempty, uses the built-in; MySQL defaults.mysqli.default_socket =; Default host for mysql_connect() (doesn't apply in safemode).mysqli.default_host =; Default user for mysql_connect() (doesn't apply in safemode).mysqli.default_user =; Default password for mysqli_connect() (doesn't apply insafe mode).; Note that this is generally a *bad* idea to storepasswords in this file.; *Any* user with PHP access can run 'echoget_cfg_var(\"mysqli.default_pw\"); and reveal this password! And of course, any users withread access to this; file will be able to reveal the password as well.mysqli.default_pw =; Allow or prevent reconnectmysqli.reconnect = Off[mSQL]; Allow or prevent persistent links.msql.allow_persistent = On; Maximum number of persistent links. -1 means no limit.msql.max_persistent = -1133

ESTEBAN HERRERA; Maximum number of links (persistent+non persistent).-1 means no limit.msql.max_links = -1[OCI8] external; enables privileged connections usingcredentials (OCI_SYSOPER, OCI_SYSDBA);oci8.privileged_connect = Off; Connection: The maximum number of persistent OCI8connections per; process. Using -1 means no limit.;oci8.max_persistent = -1; Connection: The maximum number of seconds a processis allowed to; maintain an idle persistent connection. Using -1 meansidle; persistent connections will be maintained forever.;oci8.persistent_timeout = -1; Connection: The number of seconds that must passbefore issuing a; ping during oci_pconnect() to check the connectionvalidity. When; set to 0, each oci_pconnect() will cause a ping. Using -1disables; pings completely.;oci8.ping_interval = 60; Tuning: This option enables statement caching, andspecifies how; many statements to cache. Using 0 disables statementcaching.;oci8.statement_cache_size = 20; Tuning: Enables statement prefetching and sets thedefault number of; rows that will be fetched automatically after statementexecution.;oci8.default_prefetch = 10134

LINUX ENTERPRISE SCI-FI; Compatibility. Using On means oci_close() will not close; oci_connect() and oci_new_connect() connections.;oci8.old_oci_close_semantics = Off[PostgresSQL]; Allow or prevent persistent links.pgsql.allow_persistent = On; Detect broken persistent links always withpg_pconnect().; Auto reset feature requires a little overheads.pgsql.auto_reset_persistent = Off; Maximum number of persistent links. -1 means no limit.pgsql.max_persistent = -1; Maximum number of links (persistent+non persistent).-1 means no limit.pgsql.max_links = -1; Ignore PostgreSQL backends Notice message or not.; Notice message logging require a little overheads.pgsql.ignore_notice = 0; Log PostgreSQL backends Noitce message or not.; Unless pgsql.ignore_notice=0, module cannot log noticemessage.pgsql.log_notice = 0[Sybase]; Allow or prevent persistent links.sybase.allow_persistent = On; Maximum number of persistent links. -1 means no limit.sybase.max_persistent = -1; Maximum number of links (persistent + non-persistent).-1 means no limit.sybase.max_links = -1;sybase.interface_file = \"/usr/sybase/interfaces\"135

ESTEBAN HERRERA; Minimum error severity to display.sybase.min_error_severity = 10; Minimum message severity to display.sybase.min_message_severity = 10; Compatibility mode with old versions of PHP 3.0.; If on, this will cause PHP to automatically assign typesto results according; to their Sybase type, instead of treating them all asstrings. This; compatibility mode will probably not stay aroundforever, so try applying; whatever necessary changes to your code, and turn itoff.sybase.compatability_mode = Off[Sybase-CT]; Allow or prevent persistent links.sybct.allow_persistent = On; Maximum number of persistent links. -1 means no limit.sybct.max_persistent = -1; Maximum number of links (persistent + non-persistent).-1 means no limit.sybct.max_links = -1; Minimum server message severity to display.sybct.min_server_severity = 10; Minimum client message severity to display.sybct.min_client_severity = 10[bcmath]; Number of decimal digits for all bcmath functions.bcmath.scale = 0[browscap];browscap = extra/browscap.ini 136

LINUX ENTERPRISE SCI-FI[Informix]; Default host for ifx_connect() (doesn't apply in safemode).ifx.default_host =; Default user for ifx_connect() (doesn't apply in safemode).ifx.default_user =; Default password for ifx_connect() (doesn't apply in safemode).ifx.default_password =; Allow or prevent persistent links.ifx.allow_persistent = On; Maximum number of persistent links. -1 means no limit.ifx.max_persistent = -1; Maximum number of links (persistent + non-persistent).-1 means no limit.ifx.max_links = -1; If on, select statements return the contents of a textblob instead of its id.ifx.textasvarchar = 0; If on, select statements return the contents of a byteblob instead of its id.ifx.byteasvarchar = 0; Trailing blanks are stripped from fixed-length charcolumns. May help the; life of Informix SE users.ifx.charasvarchar = 0; If on, the contents of text and byte blobs are dumped toa file instead of; keeping them in memory.ifx.blobinfile = 0; NULL's are returned as empty strings, unless this is set 137

ESTEBAN HERRERAto 1. In that case,; NULL's are returned as string 'NULL'.ifx.nullformat = 0[Session]; Handler used to store/retrieve data.session.save_handler = files; Argument passed to save_handler. In the case of files,this is the path; where data files are stored. Note: Windows users haveto change this; variable in order to use PHP's session functions.;; As of PHP 4.0.1, you can define the path as:;; session.save_path = \"N;/path\";; where N is an integer. Instead of storing all the sessionfiles in; /path, what this will do is use subdirectories N-levelsdeep, and; store the session data in those directories. This isuseful if you; or your OS have problems with lots of files in onedirectory, and is; a more efficient layout for servers that handle lots ofsessions.;; NOTE 1: PHP will not create this directory structureautomatically.; You can use the script in the ext/session dir for thatpurpose.; NOTE 2: See the section on garbage collection below ifyou choose to; use subdirectories for session storage;; The file storage module creates files using mode 600 bydefault.; You can change that by using;; session.save_path = \"N;MODE;/path\" 138

LINUX ENTERPRISE SCI-FI;; where MODE is the octal representation of the mode.Note that this; does not overwrite the process's umask.;session.save_path = /var/lib/php5; Whether to use cookies.session.use_cookies = 1;session.cookie_secure =; This option enables administrators to make their usersinvulnerable to; attacks which involve passing session ids in URLs;defaults to 0.; session.use_only_cookies = 1; Name of the session (used as cookie name).session.name = PHPSESSID; Initialize session on request startup.session.auto_start = 0; Lifetime in seconds of cookie or, if 0, until browser isrestarted.session.cookie_lifetime = 0; The path for which the cookie is valid.session.cookie_path = /; The domain for which the cookie is valid.session.cookie_domain =; Whether or not to add the httpOnly flag to the cookie,which makes it inaccessible to browser scriptinglanguages such as JavaScript.session.cookie_httponly =; Handler used to serialize data. php is the standardserializer of PHP.session.serialize_handler = php 139

ESTEBAN HERRERA; Define the probability that the 'garbage collection'process is started; on every session initialization.; The probability is calculated by usinggc_probability/gc_divisor,; e.g. 1/100 means there is a 1% chance that the GCprocess starts; on each request.; This is disabled in the Debian packages, due to thestrict permissions; on /var/lib/php5. Instead of setting this here, see thecronjob at; /etc/cron.d/php5, which uses the session.gc_maxlifetimesetting below.; php scripts using their own session.save_path shouldmake sure garbage; collection is enabled by setting session.gc_probability;session.gc_probability = 0session.gc_divisor = 100; After this number of seconds, stored data will be seenas 'garbage' and; cleaned up by the garbage collection process.session.gc_maxlifetime = 1440; NOTE: If you are using the subdirectory option forstoring session files; (see session.save_path above), then garbagecollection does *not*; happen automatically. You will need to do your owngarbage; collection through a shell script, cron entry, or someother method.; For example, the following script would is theequivalent of; setting session.gc_maxlifetime to 1440 (1440seconds = 24 minutes):; cd /path/to/sessions; find -cmin +24 | xargs rm; PHP 4.2 and less have an undocumented feature/bugthat allows you to 140