I've been cobbling together a system at work for the last couple months to allow a single place for changing all network passwords. This includes a variety of database sources, as well as passwd files and smbpasswd files. I've been making use of PEAR's File_Passwd and File_SMBPasswd, and they've greatly simplified the task of updating passwords for those types of systems. However, I've encountered some issues that I never would have expected.
I have the web user in a group called 'samba', and I have the smbpasswd file owned by root:samba. I then set the smbpasswd file to be group +rw. Simple, right? The web user should then be able to update the smbpasswd file without a problem, right? Wrong.
I kept getting errors, and on investigation continually found that the smbpasswd file permissions had reverted to 0600 -- i.e., only the root user could access it. I tried using 'chattr -i' on the off-chance that the file had been made immutable (which didn't make sense, as I was able to see the permissions change). No luck.
Based on observations of when the permissions reverted, it appears that the various SMB processes will reset the permissions! An example is when someone attempts to mount a resource from the server; this accesses the smbpasswd file to perform authentication -- and at this point the file permissions change. I can find no documentation to support this; these are simply my observations.
So, to get around the behaviour, I created a script that will set the file permissions to what I want them, and then gave sudo privileges to the samba group for that script. This script is then called via system() in the update script just before processing.
It's a hack, and could be made more secure, but it works.
Those who follow my blog may remember an earlier entry on form validation. I looked into some of the possible solutions those who commented provided, but other than Solar_Form, each was either trying to generate HTML, or not generating HTML was considered a plugin type of behaviour (i.e., the HTML generation was the norm, and not generating HTML typically added layers). Discouraged, I continued plugging away on my own solution which was incorporating Solar_Valid for validations, adding some filtering, adding the ability to load definitions from a file, and adding the ability to use callbacks for either filters or validation rules.
I got some code together, tried it out, and felt that either something was missing, or I was doing something a little wrong. I posted the code source, and asked Paul Jones for feedback.
After some initial flurries of emails with Paul asking for more detail, me providing it, Paul asking questions, me attempting to answer... Paul had me look at the source for Solar_Form. In doing so, I discovered what he was suspecting, namely, that we were trying to build something similar. Rather than continue on parallel courses, I decided to jump in and help in this aspect of the Solar project.
Changes since the proposal include the addition of a static method for retrieving a random fortune from a list of files, the addition of a DocBook tutorial listing several usage examples, renaming the exception classes to conform to PEAR CS, some minor bugfixes, and some streamlining of the package definition.
Included in the release is an example script, phpFortune, that can be used on the command line to get random fortunes from one or more fortune files. Usage is:
$> phpFortune fortunes $> phpFortune fortunes simpsons hitchhiker $> phpFortune
What a way to start the day -- I had an email from PEPR letting me know that my File_Fortune proposal had been accepted!
File_Fortune is a PHP OOP interface to reading and writing fortune files. It is loosely based on the perl module Fortune.pm, but modified significantly to better work with PHP file access methods, as well as to add writing capability.
I will be uploading my initial release shortly, probably as a beta or RC.
So, go fetch those Simpsons, Hitchhiker's Guide, and Star Wars fortune cookie databases and prepare to add random quotes to your site!
I've been doing a lot of thinking on form validation recently. Among other things, I want to be using a standard set of tools for validating form input at work; I'm also rewriting the family website in PHP, and want to have consistency there as well. Finally, I truly buy into Chris Shiflett's top two security practices: filter input, escape output. Validation should always be done, and should be done rigorously; don't allow anything more than is necessary to get the work done.
I flirted briefly in the past month with HTML_QuickForm. Being an observer on the CGI::Application mailing lists, HQF looks like PHP's answer to perl's Data::FormValidator. HQF has a high frequency of posts on the php-pear-general lists. A lot of people seem happy with it. I decided to try it out as an example plugin for Cgiapp for the latest release.
My problem is that I want to be able to define form validation in a file outside my script. The reason for this is that as I extend and reuse classes, I often find that I can use the same general run-modes for a method... just so long as the form validation logic is separate. This allows me, for instance, to decide that in one application instance I will require fields A-M, but in another, I only need A-E (or vice versa). But it requires no changes to the actual application logic, as the validations are kept separately, and I have the application instance indicate which validation file to utilize.
I've been doing some thinking on exceptions, and PEAR_Exception in particular. You may want to skip ahead to read about how to use PEAR_Exception, as well as some of my thoughts on the class on first use. If you want the background, read on.
I've created a package proposal on PEAR for a package called File_Fortune, an OOP interface to reading and writing fortune files. I've been using a perl module for this on the family website for years, and now that I'm starting work on the PHP conversion, I thought I'd start with the building blocks.
In creating the proposal, I started with a PHP5-only version, though I found that I wasn't using much in PHP5 beyond the public/private/protected/static keywords. For error handling, I decided to try out PEAR_ErrorStack, as I'd been hearing buzz about it being the new "preferred" method for error handling in PEAR. (Honestly, after using it, I'm not too happy with it; throwing PEAR_Errors was much easier, and easier to manipulate as well -- but that's a subject for another post -- and exceptions were easier still, though more typing.)
The first comment I got on the proposal was the question: "Why PHP5?" (Paul wasn't too surprised by that reaction.) I thought about it, and decided it wasn't really all that necessary, beyond the fact that I'd need to take some extra steps to be able to actually test a PHP4 version. So, I did a PHP4 version.
Well, then some chatter happened, and a number of developers said, "Why not PHP5?" So, I went back to PHP5. And then somebody else said, "Use PEAR_Exception." So, I started playing with that, and we finally get to the subject of this post.
Got the official notification: I passed the Zend PHP Certification Exam, and can now report I'm a Zend Certified Engineer (ZCE)!
Thanks go to my bosses at NGA for giving me the opportunity to attend php|Tropics, to Marco Tabini for offering the ZCE exam as part of the php|Tropics conference fee, and to my wife, Jen, and daughter, Maeve, for putting up with me while I studied... and being good sports about having to stay home while I went to Cancun. Hopefully next time I can take you along!
Paul Jones has written an interesting piece about documentation in the PEAR project, in which he argues very convincingly for using wikis for end user documentation.
I actually think that last point bears repeating: using wikis for end user documentation. I talked to Paul about this issue at php|Tropics, and both of us use phpDocumentor quite religiously. However, API documentation is very different from end user documentation. And the issue with documentation at the PEAR project has to do with the fact that there are many projects with little or no end user documentation -- which often makes it difficult for a developer to determine how a module might be used.
The often-cited barrier for this is that end user documentation on the PEAR website must be done in DocBook format.
Twice in the past week I found myself needing to create or alter database search functionality in some APIs for work. In doing this work, I discovered some techniques that make this process much easier. In line with The Pragmatic Programmer, I found myself exploring the DRY principle (Don't Repeat Yourself), and looking into code generation (this time, SQL) -- basically to exploit my inherent laziness and to make my job easier.
I thought I'd share some of the principles I've discovered for myself as I haven't read much information on the subject. Some of this may be rudimentary for some readers or those who work with more advanced abstraction layers (I suspect DB_DataObject may do much of this), but hopefully the information can be a useful reference for others (myself included).
I recently had an email exchange with chregu of Planet PHP regarding Planet PHP's blog selection. I've been subscribing to its RSS feed for over a year now, but was uncertain how blogs were selected -- was it based on popularity of the developer, projects the developer works on (for instance, PEAR), etc. I felt that it was time for this information to be made public; it helps inform the readership why they're reading what they're reading.
And my exchange with him resulted in his Planet PHP FAQ blog entry, which hopefully someday will become a static page on the site. Additionally, I found out how new blogs get added, and am proud to announce I'm now in the lineup!
(Of course, the timing could not really be worse, come to think of it. I'm moving my family in to town this weekend (from our house in the Green Mountains of Vermont), and I need to make arrangements for hosting weierophinney.net in the interim while we wait for phone and DSL service -- which won't be up for at least another week :-( I'm sure I'll figure out something... stay tuned!)
Update: corrected link to Planet PHP FAQ.