Ted's Shed

PHP & PostgreSQL Woes, Part Four

Thu, 09 Jun 2005 22:08:30 GMT

OK, time for the pain!

First up, let me ensure that I've restored all the configuration files to their original state...

[tdavis@basement ~]$ su
Password: 
[root@basement tdavis]# cd /var/lib/pgsql/data/
[root@basement data]# cp pg_hba.conf.original pg_hba.conf
cp: overwrite `pg_hba.conf'? y
[root@basement data]# cp pg_ident.conf.original pg_ident.conf
cp: overwrite `pg_ident.conf'? y

Check.

And a little restart...

[root@basement data]# /sbin/service postgresql restart
Stopping postgresql service: [  OK  ]
Starting postgresql service: [  OK  ]

Check.

A little review of my test script...

[tdavis@basement 050609]$ cat insert.php 
<?php
ini_set('display_errors',true);
$dbconn=pg_connect("dbname=basement user=tdavis password=pokesmot");
$rset=pg_query($dbconn,"select * from users");
$array=pg_fetch_array($rset);
echo $array["username"];
echo "\n";
pg_close($dbconn);
?>

... and make sure it runs (it should print "tdavis")...

[tdavis@basement 050609]$ php insert.php 
Content-type: text/html
X-Powered-By: PHP/4.3.11

tdavis

Bingo!

Now let's load it up from the web...

Warning: pg_connect(): Unable to connect to PostgreSQL server: could not connect to server: Permission denied Is the server running locally and accepting connections on Unix domain socket "/tmp/.s.PGSQL.5432"? in /home/tdavis/public_html/050609/insert.php on line 3

Warning: pg_query(): supplied argument is not a valid PostgreSQL link resource in /home/tdavis/public_html/050609/insert.php on line 4

Warning: pg_fetch_array(): supplied argument is not a valid PostgreSQL result resource in /home/tdavis/public_html/050609/insert.php on line 5

Warning: pg_close(): supplied argument is not a valid PostgreSQL link resource in /home/tdavis/public_html/050609/insert.php on line 8

Curses!

Considering that it works from the command line but not from the web, I'm pretty confident that this is an 'ident' issue with PostgreSQL authentication. Essentially, the tdavis Unix account can connect to the tdavis database account, but the apache Unix account may not.

First I'll try the suggestion Larry Klug posted: changing 'ident' to 'trust', which essentially means "let anybody log in"...

[root@basement data]# diff pg_hba.conf pg_hba.conf.original 
66c66
< local  all    all             trust
---
> local  all    all             ident   sameuser

... and another restart...

[root@basement data]# /sbin/service postgresql restart
Stopping postgresql service: [  OK  ]
Starting postgresql service: [  OK  ]

... and a hit from the browser...

BAM! Same error.

Warning: pg_connect(): Unable to connect to PostgreSQL server: could not connect to server: Permission denied Is the server running locally and accepting connections on Unix domain socket "/tmp/.s.PGSQL.5432"? in /home/tdavis/public_html/050609/insert.php on line 3

Warning: pg_query(): supplied argument is not a valid PostgreSQL link resource in /home/tdavis/public_html/050609/insert.php on line 4

Warning: pg_fetch_array(): supplied argument is not a valid PostgreSQL result resource in /home/tdavis/public_html/050609/insert.php on line 5

Warning: pg_close(): supplied argument is not a valid PostgreSQL link resource in /home/tdavis/public_html/050609/insert.php on line 8

Round and round she goes. Where she stops, nobody knows!

I'll work on it tomorrow, I swear!

Wed, 08 Jun 2005 23:33:44 GMT

I spent last night with my daughter, and tonight I'm headed over to my girlfriend's to watch a movie. Tomorrow night I'm going to work on Project Basement. Really. I swear. Hmm... but I do have two new Netflix discs on my coffee table. Must resist! Must produce! We'll see :-)

Info on 3.9M Citigroup customers lost

Tue, 07 Jun 2005 12:47:19 GMT

(according to CNNMoney) and MC has only been working there a week! That's got to be a new record ;-)

PHP & PostgreSQL Woes, Part Two and One-Half

Tue, 07 Jun 2005 01:54:37 GMT

I wasted another hour banging my head against getting PHP to talk to PostgreSQL with no luck. At one point I decided to shut down the database just to see if PHP would give me a useful error message. The error changed slightly to:

Warning: pg_connect(): Unable to connect to PostgreSQL server: could not connect to server: No such file or directory Is the server running locally and accepting connections on Unix domain socket "/tmp/.s.PGSQL.5432"?

And here's the kicker: after I started the database back up again, PHP continued to say it could not connect to the server. So I restarted Apache. Nope! How about if I reboot the entire machine? Sorry. I have really screwed something up now... yet all of the configuration files have been restored to their original state (I always make backups).

PHP & PostgreSQL Woes, Part Two

Mon, 06 Jun 2005 23:55:08 GMT

Another fruitless day trying to get PHP talking to PostgreSQL.

It seems there's two approaches to this.

The first is to tell PostgreSQL to allow the Unix account running PHP (Apache) to connect to the database.

This is, according to my Googles, configured in a file called pg_hba.conf

[tdavis@basement ~]$ sudo find / -name pg_hba.conf >find 2>errors; cat find
/var/lib/pgsql/data/pg_hba.conf

This file contains a single line:

local  all    all             ident   sameuser

And the documentation explains that this tells PosgreSQL to allow any local users to connect to any database and assume their Unix username is the same as their PostgreSQL username:

ident

Obtain the operating system user name of the client (for TCP/IP connections by contacting the ident server on the client, for local connections by getting it from the operating system) and check if the user is allowed to connect as the requested database user by consulting the map specified after the ident key word. See Section 19.2.4 for details.

So what I need to do, apparently, is to create a new mapping that says Unix account 'apache' is allowed to log in as PostgreSQL user 'tdavis'...

19.2.4.3. Ident Maps

When using ident-based authentication, after having determined the name of the operating system user that initiated the connection, PostgreSQL checks whether that user is allowed to connect as the database user he is requesting to connect as. This is controlled by the ident map argument that follows the ident key word in the pg_hba.conf file. There is a predefined ident map sameuser, which allows any operating system user to connect as the database user of the same name (if the latter exists). Other maps must be created manually.

So I added the new line to pg_hba.conf and added the user mapping to pg_ident.conf and restarted PostgreSQL... no luck. Same error.

The second option is to create a new user for the 'apache' account to use.

[root@basement data]# su postgres
bash-3.00$ createuser
Enter name of user to add: apache
Shall the new user be allowed to create databases? (y/n) n
Shall the new user be allowed to create more new users? (y/n) n
CREATE USER

And give it access to the basement database:

postgres=# grant all on database basement to apache;
GRANT

Now this sucks. I don't want this account to have complete access to the database. I want this account to be able to select, insert, update, and delete, but not create new tables or drop existing tables, etc. But in order to achieve that level of access, I would have to grant it per table! OMG!

Sanity check:

[tdavis@basement ~]$ psql basement
Welcome to psql 7.4.8, the PostgreSQL interactive terminal.

Type:  \copyright for distribution terms
       \h for help with SQL commands
       \? for help on internal slash commands
       \g or terminate with semicolon to execute query
       \q to quit

basement=> \du
              List of database users
 User name | User ID |         Attributes         
-----------+---------+----------------------------
 apache    |     101 | 
 postgres  |       1 | superuser, create database
 tdavis    |     100 | 
(3 rows)

Restart PostgreSQL... nope. Still no access. Sucks. Sigh.

P. S. I'm an old emacs fanatic, but for today's session I used vi just to see what all the fuss was about. I'll use it again in future sessions before I make any judgements. So far I'm neither impressed nor disappointed.

PHP & PostgreSQL Woes, Part One

Sun, 05 Jun 2005 22:21:11 GMT

I'll spare you the twelve-page narration of my trials and tribulations and tell you simply that I am working on Project Basement this afternoon and I've not yet figured out how to connect to the PostgreSQL database from PHP.

Here's my code:

<?php
ini_set('display_errors',true);
$dbconn=pg_connect("dbname=basement");
pg_insert($dbconn,'users',$_POST);
pg_close($dbconn);
?>

And here's my error message:

Warning: pg_connect(): Unable to connect to PostgreSQL server: could not connect to server: Permission denied Is the server running locally and accepting connections on Unix domain socket "/tmp/.s.PGSQL.5432"? in /home/tdavis/public_html/censored_for_my_protection.php on line 3

I'm Googling for a solution at the moment.

In case any of my WoW buddies read this...

Thu, 02 Jun 2005 15:45:54 GMT

http://www.thinkgeek.com/pennyarcade/swag/76e8/

I'll send you 400G in game for one of these ;-)

Another Lull

Thu, 02 Jun 2005 15:10:46 GMT

Fear not, faithful readers. Project Basement is not yet dead, just suffering another lull as work saps me of all my energy and traveling this weekend will prohibit any productivity. I plan to throw together some user account creation and log-in scripts as my next feet-whetting project, then I'll set up some revision control system to preserve my work (and my sanity).

Showering makes you fat!

Wed, 01 Jun 2005 15:07:24 GMT

I have a digital scale right next to my shower. This morning when I dragged my ass out of bed I stepped on. It read 138.5. I stepped off, waited for it to reset, then stepped on again. I always weigh myself twice to ensure the first reading wasn't a fluke. 138.5 again. OK. That's cool. I took my shower. After I dried off and stepped out, I thought, why not weight myself again just for laughs. 140.0. Then again. 140.0 both times. I gained 1.5 pounds in the shower. My only hypothesis is that my body absorbed that much water; but that seems like an awful lot. Wild.

Oh yeah, I ran a 5K

Wed, 01 Jun 2005 02:43:21 GMT

On Monday I ran my first 5K of 2005. It was the one-year anniversary of my first 5K ever. It was the first 5K I'd run since the Firefighter 5K in September of last year. During the winter months I stopped running and put on some extra poundage. I can't stand running in cold weather; breathing in the cold air makes me feel like crap. A couple months ago I started running again, but nowhere near the rigorous schedule of last year. I expected to do mediocre in the race on Monday, but surprisingly I ran my best time ever (just over 29 minutes). I guess I just might have to run a few more races this summer.

PHP Woes, Part One

Mon, 30 May 2005 01:10:46 GMT

I whipped up the obligatory "hello world" PHP script and... it worked! I didn't have to futz with anything! I'm speechless.

My first order of business was to figure out how includes worked. You know, code re-use and all that jazz. I want to be able to write a piece of code once and then import it into all the pages that need it.

Not surprisingly, the keyword for including another source file is "include". Surprisingly, there's four variations of it. WTF!? Get this...

include()

- Imports and executes another source file.

include_once()

- Imports and executes another source file only one time in case it's imported multiple times. Oh ho ho. This just stinks of a bug that was promoted to a feature. Importing external sources multiple times is going to cause namespace collisions and wreak all sorts of havoc. This should have been the default implementation IMHO. Backwards compatibility is a bitch; you have to keep big bugs and crappy APIs around just for the sake of not pissing off your user base. Yeah Java, I'm looking at you too.

require()

- This does almost the exact same thing as include, but it throws a "fatal exception" if there's a problem with the external file, as opposed to include's "warning". That's a nice hack.

require_once()

- You should be able to figure out what this one does.

I think I'm going to play it safe and use require_once exclusively (if I can). It seems to be the most logical implementation, and I'm betting it was the last version of this debacle added to the language. I can see why you might want to include and execute and external file multiple times, but those are extreme cases and there are certainly other (cleaner) ways to accomplish the same thing. And I'm a big proponent of code breaking rather than limping along. If something isn't right, I want the flow to stop immediately before more potential damage can be done.

So I added a couple includes to my test script. I intentionally included a non-existent file. No fatal error reported. WTF? It seems PHP by default doesn't dump error diagnosis to the web page for security reasons. I can agree with that. But where the frick are the errors logged? I've not yet figured that out. And even though the error isn't detailed on the page, I'd at least like to see notification that something is amiss. I'm researching those API calls now...

The first candidate seemed to be display_errors, which is documented to "determine whether errors should be printed to the screen as part of the output", but if you keep reading, there's a catch: "it won't have any affect if the script has fatal errors." Remember that "require" throws a fatal error. Oops. No help there.

The next candidate seems to be log_errors, which is documented to "Tell whether script error messages should be logged to the server's error log or error_log." And if you follow up on error_log you discover that it is the "name of the file where script errors should be logged. The file should be writable by the web server's user." Alright, I'll give that a whirl.

<?php
error_log('/home/tdavis/public_html/error.log');
log_errors(true);
require_once 'missing.php';
?>

Create the file...

[tdavis@basement public_html]$ echo > /home/tdavis/public_html/error.log
[tdavis@basement public_html]$ chmod 666 error.log 
[tdavis@basement public_html]$ ls --scontext | grep error
user_u:object_r:httpd_sys_content_t error.log

Hit the page and check the log...

[tdavis@basement public_html]$ cat error.log

Nothing. Empty. Nada. Are you starting to grasp the beauty of this? I can't figure out how to get error logging working... and there's no way to debug it because none of the errors are being logged! I just might beat myself senseless... oh, too late.

Fortunately for me, I have root access, so I can peek at the Apache logs.

[client 24.233.173.197] /home/tdavis/public_html/error.log
[client 24.233.173.197] PHP Fatal error:  Call to undefined function:  
    log_errors() in /home/tdavis/public_html/test.php on line 3

Er... it seems that my call to error_log simply printed the string to the main log rather than setting the file path... wtf? Also, log_errors is undefined? Grr.

Oh, error_log is not a function name, well it is, but it's also a property name, and the latter is what I want. Now how do I set it? I haven't yet figured that out. Supposedly I can set it at run time using ini_set(), but as already stated above, in the case of a "fatal" error, as require_once throws, runtime settings are a moot point. Sigh.

But wait a second. How often is the documentation correct, much less consistent? Hell, I'm going to try it...

<?php
ini_set('display_errors',true);
require_once 'missing.php';
?>

Bam!

Warning: main(missing.php): failed to open stream: No such file or directory in /home/tdavis/public_html/test.php on line 3

Fatal error: main(): Failed opening required 'missing.php' (include_path='.:/usr/share/pear') in /home/tdavis/public_html/test.php on line 3

Bingo!

The day the Klug saved Christmas

Sun, 29 May 2005 04:49:54 GMT

It's 12:30AM, Saturyday night (Sunday morning). I made the mistake of checking my e-mail right before bed. Lo and behold I had a comment in my blog from a very old friend and colleague, Larry Klug.

Larry and I worked together at the beginning of the dot com explosion. I remember Larry as a young Visual Basic coder who pined about his days of airbrushing t-shirts and serving customers the "onion of the day"... and of course the management of the official Gram Parson's web site and fan club.

Many years ago, when our dot com baby went bust, we went our separate ways. But a year or so ago I rediscovered Larry through his blog. I discovered, from his writings, that he'd become quite the accomplished tech guru, jetsetting about and dabbling with, hell mastering wonderful niche technologies that I can only dream about having (making?) the time to explore. His rants about synching his iPod from Linux left me dumbfounded. He was "in the shit" (as you might hear from a cliche Vietnam war movie) in regards to coding. He was getting down and dirty with device drivers and code on the bleeding edge. I silently envied him from afar.

And on this fateful night, my dear friends, Larry enlightened me. He pulled my head out of the sand and showed me the path that I had lost. He earned his sainthood this evening by exposing the solution to my Apache problem that I now realize I was nowhere close to resolving on my own and probably would not have for a very long painful time to come...

Subject: Sealed for your protection

One word: SELinux

Fedora Core 3 ships with an SELinux kernel. SELinux (Security Enhanced Linux) is essentially a way to add an additional layer of file permissions over and above the normal users/groups permissions. In short, chmod will not help you. You should instead use the command chcon to change the security context of the directory you want to use. Apache should really add this to their FAQ. Even though RedHat is really to blame, the Apache FAQ is the first place someone might look for a solution. Unfortunately, this one is too new to be easy to find in the usual places. You can disable SELinux completely, or try something like: "chcon -t httpd_sys_content_t /home/tdavis/basement".

Wow. That sounds like good stuff. A little googling turned up this gem which corroborates Larry's explanation:

http://www.networkclue.com/os/Linux/commands/chcon.php

So let's play with this...

[tdavis@basement ~]$ ls --scontext
user_u:object_r:user_home_t      Desktop
user_u:object_r:user_home_t      errors
user_u:object_r:user_home_t      find
user_u:object_r:user_home_t      public_html

Interesting...

[tdavis@basement ~]$ ls --scontext /var/www
system_u:object_r:httpd_sys_script_exec_t cgi-bin
system_u:object_r:httpd_sys_content_t error
system_u:object_r:httpd_sys_content_t html
system_u:object_r:httpd_sys_content_t icons
system_u:object_r:httpd_sys_content_t manual
system_u:object_r:httpd_sys_content_t usage

Yes indeed it seems httpd_sys_content_t is the magic value. Let's give it a whirl...

[tdavis@basement ~]$ chcon --type httpd_sys_content_t public_html

Nope, but it gave me a different error message, which is promising. Let's try a little deeper.

[tdavis@basement ~]$ cd public_html/
[tdavis@basement public_html]$ chcon --type httpd_sys_content_t index.html

HALLELUJAH!!!

Thanks Larry! I owe you one. I owe you a big one!

Firefly

Sun, 29 May 2005 04:16:28 GMT

After reading all the "gull ram" hype about this TV series on Slashdot, and the news of the upcoming feature film Serenity (the name of the space ship, and the pilot episode), I rented the first (and only) season on DVD to see what it's all about. It started out good and got better. It's not a "great" show in my book, but it breaks a lot of cliches for it's genre. It's the anti-Roddenberryian space adventure. The captain kills with little remorse. You won't see any Wrath of Kahn spin-offs from this show -- you cross the captain and he leaves you stone cold dead. His crew doesn't follow him blindly like mindless puppies -- hell one of them even tries to turn the others in for their bounties. Romances aren't wrapped up in single episodes, nor are they clean and pretty. People get shot; both good and bad. People die; both good and bad. The acting is solid. The writing is solid. It's a nice piece of entertainment and I can certainly see why it had such a passionate following. There's no grand sub-plot like Babylon 5 or the X-Files. It's pretty episodic with most continuity simply preserved for humor value -- the crew doesn't let each other forget their embarrassing faux pas from past adventures. I don't know anything about the upcoming movie, but I hope it wraps up some of the dangling threads from the series... and in some way I hope it leaves a few of those threads still dangling. For example, I want to know what's wrong with the lobotomized chick, but I don't care to see the captain and the on-board whore confess their hidden love for each other. I guess it all depends on how much control the originator (Josh Whedon) is able to preserve when the big movie studio execs decide to step in and candy coat everything. If I had a nickel for every DVD I've rented that has the bonus track with the "original ending the studio made us rewrite" that made me gasp in awe at how much better the film would have been if they didn't all sail off into the sunset at the end and live happily every after.

Apache Woes, Part Four

Sun, 29 May 2005 00:36:11 GMT

Because I'm a glutton for punishment, I press on...

Maybe the problem is specific to the special index.html file name.

[tdavis@basement ~]$ cd public_html/
[tdavis@basement public_html]$ echo "hello world" > snafu.html
[tdavis@basement public_html]$ ls -al snafu.html 
-rw-rw-r--  1 tdavis tdavis 12 May 28 19:56 snafu.html

http://basement.dnsalias.net/~tdavis/snafu.html

Forbidden

You don't have permission to access /~tdavis/snafu.html on this server.

Additionally, a 403 Forbidden error was encountered while trying to use an ErrorDocument to handle the request.

Apache/2.0.52 (Fedora) Server at basement.dnsalias.net Port 80

Nope.

Mabye if I kill httpd I can su into the apache user and test the file access.

[tdavis@basement public_html]$ sudo /sbin/service httpd stop
Stopping httpd: [  OK  ]
[tdavis@basement public_html]$ su
Password: 
[root@basement public_html]# su apache
This account is currently not available.

Nope.

This has got to be a farking configuration problem! Right? Oh what I wouldn't pay for some... oh wait, paying would defeat the purpose of using free software. Ah, the fool I am.

I'm peeking at the configuration file again... because I'm stubborn like that. Time to delve a little deeper into each part of the access control settings.

http://httpd.apache.org/docs-2.0/mod/core.html#limit

http://httpd.apache.org/docs-2.0/mod/core.html#limitexcept

http://httpd.apache.org/docs-2.0/mod/mod_access.html#order

http://httpd.apache.org/docs-2.0/mod/core.html#options

It all looks good. Argh.

Is there anything more frustrating than something that should work doesn't? My problem is probably something incredibly simple that a veteran Apache administrator would notice in a blink of the eye, but it's stumped me for days now, and I'm no closer to a solution.

Apache Woes, Part Three

Sat, 28 May 2005 21:28:23 GMT

OK let's get this file permission theory settled once and for all...

[tdavis@basement conf]$ su
Password: 
[root@basement conf]# su apache
This account is currently not available.

Sigh. So much for that idea.

Maybe I need an .htaccess file. Oh this is going to get ugly.

http://httpd.apache.org/docs-2.1/howto/htaccess.html

OK that was nigh-useless. How about another?

http://httpd.apache.org/docs-2.1/sections.html

Nope, not much help either. The core configuration file implies that my directory should be wide open to the world. I'm frustrated and infuriated at this point.

How about another trip to the FAQ?

Why do I get a "Forbidden/You don't have permission to access / on this server" message whenever I try to access my server?

Search your conf/httpd.conf file for this exact string: <Files ~>. If you find it, that's your problem -- that particular <Files> container is malformed. Delete it or replace it with <Files ~ "^\.ht"> and restart your server and things should work as expected.

This error appears to be caused by a problem with the version of linuxconf distributed with Redhat 6.x. It may reappear if you use linuxconf again.

OK, that sounds promising...

[tdavis@basement public_html]$ grep "<Files" /etc/httpd/conf/httpd.conf
<Files ~ "^\.ht">

Nope, we're fine there.

How can a tool as prevalent as Apache be so convoluted to configure and so damn hard to troubleshoot!? This is fscking ridiculous! I've now lost days of potential productivity because I can't figure out how to publish a damn file.

Once again I bang my head against the configuration file to reiterate the obvious...

# The path to the end user account 'public_html' directory must be
# accessible to the webserver userid.  This usually means that ~userid
# must have permissions of 711, ~userid/public_html must have permissions
# of 755, and documents contained therein must be world-readable.
# Otherwise, the client will only receive a "403 Forbidden" message.

And for sanity sake...

[tdavis@basement public_html]$ pwd
/home/tdavis/public_html
[tdavis@basement public_html]$ ls -al
total 24
drwxr-xr-x   2 tdavis tdavis 4096 May 28 17:06 .
drwx--x--x  17 tdavis tdavis 4096 May 28 08:34 ..
-rw-rw-r--   1 tdavis tdavis   12 May 28 08:34 index.html

Yup, exactly what it says.

http://basement.dnsalias.net/~tdavis/index.html

Forbidden

You don't have permission to access /~tdavis/index.html on this server.

Additionally, a 403 Forbidden error was encountered while trying to use an ErrorDocument to handle the request.

Apache/2.0.52 (Fedora) Server at basement.dnsalias.net Port 80

Sigh. Huh? What's that part about an error trying to use an ErrorDocument? Something else is broken too? Or is this perhaps related?

I don't know why Apache isn't/can't/won't serve the error documents, but I found it on the drive and read the contents:

You don't have permission to access the requested directory.
There is either no index document or the directory is read-protected.

The first part is obvious; I know it's not permitting me to access the directory. The second part is quite simply wrong; there is an index document and it is not read-protected. WTF!?

I'm too pissed to continue.

Katamari Damacy

Sat, 28 May 2005 20:40:34 GMT

I got this game for my daughter for her birthday. We've been playing it all day. It's fantastic. It's a testament to the old adage that simplicity is king. The goal of the game: roll a ball around and things stick to it. That's it! It's easy. It's fun. It's entertaining. Even the head-to-head is a blast. You can get your opponent's ball stuck to your ball if you've got the size advantage, then they have to shake themselves off while you use your temporarily boosted girth to stick even bigger stuff. Oh, and the soundtrack is mostly classic big-band jazz tunes sung in Japanese -- hilarious! My daughter sings along with the scatting sections. The plot, if you can call it that, is animated like it was ripped out of an old Beatles animation (like Yellow Submarine or Sergeant Pepper). It's psychedelic! We're loving every second of it.

Apache Woes, Part Two

Sat, 28 May 2005 16:10:46 GMT

It suddenly came back to me. I recall in the olden days of yore, you could configure Apache to let users host websites from their home directories as long as they all followed the convention of created a directory under their relative home directory named public_html. This probably isn't enable by default, but let's clean up my former mess and try it...

[tdavis@basement ~]$ rm basement/test.html 
[tdavis@basement ~]$ rmdir basement/
[tdavis@basement ~]$ mkdir public_html
[tdavis@basement ~]$ cd public_html/
[tdavis@basement public_html]$ echo "hello world" > index.html
[tdavis@basement public_html]$ ls -al
total 24
drwxrwxr-x   2 tdavis tdavis 4096 May 28 08:34 .
drwxr-xr-x  17 tdavis tdavis 4096 May 28 08:34 ..
-rw-rw-r--   1 tdavis tdavis   12 May 28 08:34 index.html

That all looks good.

http://basement.dnsalias.net/~tdavis/index.html

I'm starting to wonder if the user account that's running Apache simply doesn't have permission to read the tdavis files and directories... but before I investigate that, I'm going to take one more crack as the configuration file.

Oh yeah, I forgot to clean up one thing.

[tdavis@basement public_html]$ cd /var/www/html/
[tdavis@basement html]$ ls -al
total 20
drwxr-xr-x  2 root root 4096 May 26 21:32 .
drwxr-xr-x  8 root root 4096 Nov 11  2004 ..
lrwxrwxrwx  1 root root   21 May 26 21:32 basement -> /home/tdavis/basement
[tdavis@basement html]$ sudo rm basement

Alrighty. I found and un-commented the following section of the configuration file:

#
# Control access to UserDir directories.  The following is an example
# for a site where these directories are restricted to read-only.
#
<Directory /home/*/public_html>
    AllowOverride FileInfo AuthConfig Limit
    Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
    <Limit GET POST OPTIONS>
        Order allow,deny
        Allow from all
    </Limit>
    <LimitExcept GET POST OPTIONS>
        Order deny,allow
        Deny from all
    </LimitExcept>
</Directory>

And a quick restart.

[tdavis@basement conf]$ sudo /sbin/service httpd restart

Nope. Perhaps I missed something else... ah, here we go:

<IfModule mod_userdir.c>
    #
    # UserDir is disabled by default since it can confirm the presence
    # of a username on the system (depending on home directory
    # permissions).
    #
    UserDir disable

    #
    # To enable requests to /~user/ to serve the user's public_html
    # directory, remove the "UserDir disable" line above, and uncomment
    # the following line instead:
    #
    #UserDir public_html

</IfModule>

Another restart and... bam! Hmm, still can't load the page, but the error message changed from "Not Found" to "Forbidden". That's a good sign... isn't it?

Here's another clue...

# The path to the end user account 'public_html' directory must be
# accessible to the webserver userid.  This usually means that ~userid
# must have permissions of 711, ~userid/public_html must have permissions
# of 755, and documents contained therein must be world-readable.
# Otherwise, the client will only receive a "403 Forbidden" message.
#
# See also: http://httpd.apache.org/docs/misc/FAQ.html#forbidden

This points back to my original theory that the user running Apache doesn't have access to my home directory. But it is world readable, so I'm stumped. Let's check out the URL listed in the comments...

14. Why do I get a "Forbidden" message whenever I try to access a particular directory?

This message is generally caused because either

* The underlying file system permissions do not allow the User/Group under which Apache is running to access the necessary files; or
* The Apache configuration has some access restrictions in place which forbid access to the files.

You can determine which case applies to your situation by checking the error log.

In the case where file system permission are at fault, remember that not only must the directory and files in question be readable, but also all parent directories must be at least searchable (i.e., chmod +x /directory/path) by the web server in order for the content to be accessible.

Ah, there's an error log? Duh! Let's check that out...

[tdavis@basement public_html]$ cd /etc/httpd/logs/
-bash: cd: /etc/httpd/logs/: Permission denied

Grr...

[tdavis@basement public_html]$ su
Password: 
[root@basement public_html]# cd /etc/httpd/logs
[root@basement logs]# ls
access_log    error_log    ssl_access_log  ssl_request_log
access_log.1  error_log.1  ssl_error_log
[root@basement logs]# tail error_log
...
[Sat May 28 11:54:18 2005] [error] [client 24.233.173.197] (13)Permission 
    denied: access to /~tdavis denied

OK, permission denied, by what? The file access settings? The httpd configuration settings? No help there. So much for "You can determine which case applies to your situation by checking the error log." Lies, all lies!

The file access settings look fine to me. Everything is world-readable.

[tdavis@basement public_html]$ ls -al
total 24
drwxr-xr-x   2 tdavis tdavis 4096 May 28 08:34 .
drwx--x--x  17 tdavis tdavis 4096 May 28 08:34 ..
-rw-rw-r--   1 tdavis tdavis   12 May 28 08:34 index.html

One more peek at the configuration file... nope, nothing evident there. Another frustrating fruitless session. Sigh.

RedHat Woes Update

Fri, 27 May 2005 20:32:03 GMT

Through the window manager, I found a GUI that allowed me to make Apache and PostgreSQL start up when the machine boots. I have no idea WTF it did behind the scenes. If I didn't have access to the GUI, if this box had been racked a couple weeks ago like I had planned, I'd still be screwed. Let's hear it for procrastination!

RedHat Woes, Part One

Fri, 27 May 2005 14:25:28 GMT

Before I continue, I need to fix something that's irking me. Apache and PostgreSQL are not starting up when the machine reboots. I have Googled my nads off and come up dry with a solution to this (much to my dismay -- can my faith in FOSS dwindle any more?). No help from RedHat's knowledge base, none from Apache, not even PostgreSQL's web site. I tried all the cockamamie Apache suggestions from non-official blogs and forums and none have worked. Here's the less cryptic of them all...

http://sol4.net/linux/apache1.shtml

Starting Apache under Redhat

Under Redhat, to start Apache at boot time you, after logging in as root, you need to create the following link.

ln -s /usr/local/apache/bin/apachectl /etc/rc.d/init.d/apache

... but, it didn't work. So I'm moving on to PostgreSQL. This one solution looks promising...

http://www.openmicroscopy.org/install/redhat.html

You will probably want PostgreSQL to start on boot. The init script, which automates startup and shutdown, is already copied to the init.d directory by the rpm install. You just have to turn it on to the appropriate run levels.

chkconfig --level 345 postgresql

[tdavis@basement init.d]$ sudo /sbin/chkconfig --level 345 postgresql
only one runlevel may be specified for a chkconfig query

Oh really? That's not what the man page says...

--level levels
    Specifies the run levels an operation should pertain  to.  It  is
    given as a string of numbers from 0 to 7. For example, --level 35
    specifies runlevels 3 and 5.

Sigh. Chalk up yet another soul-crushing defeat at the hands of FOSS. This is depressing.

Apache Woes, Part One

Fri, 27 May 2005 01:52:06 GMT

OK, I've got a default RedHat Linux install with a default Apache install. Let's see what going on there...

http://basement.dnsalias.net/

"The operation timed out when attempting to contact basement.dnsalias.net."

Hmm, that's a good sign that Apache isn't running. Fortunately for me, I've worked with Apache before, so this shouldn't be too hard to figure out...

[tdavis@basement ~]$ sudo /usr/sbin/apachectl start

Much better. Now I can see the Fedora Core Test Page. We're rolling now. Let's set up a working directory in my home directory and see if I can get Apache to serve it...

[tdavis@basement ~]$ pwd
/home/tdavis
[tdavis@basement ~]$ mkdir basement
[tdavis@basement ~]$ ls -al basement
total 16
drwxrwxr-x   2 tdavis tdavis 4096 May 26 21:19 .
drwx------  17 tdavis tdavis 4096 May 26 21:19 ..

There's the directory, and it's got good permissions (everybody can read). Now I need to find the Apache configuration file...

[tdavis@basement ~]$ find / -name httpd.conf > find 2> errors; cat find
/etc/httpd/conf/httpd.conf

I really should macro that command; I use it all the time since I can never remember where anything is.

Time to load up emacs and take a peek...

Wow! Look at the bazillion configuration variables. Holy macaroni! There are 1005 lines in the configuration file.

#
# DocumentRoot: The directory out of which you will serve your
# documents. By default, all requests are taken from this directory, but
# symbolic links and aliases may be used to point to other locations.
#
DocumentRoot "/var/www/html"

Okie dokie, so that's where it's looking...

[tdavis@basement ~]$ cd /var/www/html
[tdavis@basement html]$ ls -al
total 16
drwxr-xr-x  2 root root 4096 Nov 11  2004 .
drwxr-xr-x  8 root root 4096 Nov 11  2004 ..

Er... where's the Fedora Core Test Page that's being served? This directory is empty!

Ah, well, I'll worry about that later. Let's see if I can create a symbolic link to the directory in my home directory and load a test page...

[tdavis@basement html]$ su
Password: 
[root@basement html]# ln /home/tdavis/basement basement
ln: `/home/tdavis/basement': hard link not allowed for directory

Apparently I don't remember how to create a symbolic link.

[root@basement html]# ln /home/tdavis/basement basement --symbolic
[root@basement html]# ls -al
total 20
drwxr-xr-x  2 root root 4096 May 26 21:32 .
drwxr-xr-x  8 root root 4096 Nov 11  2004 ..
lrwxrwxrwx  1 root root   21 May 26 21:32 basement -> /home/tdavis/basement

OK, that's better.

[root@basement html]# exit
[tdavis@basement html]$ cd
[tdavis@basement ~]$ cd basement/
[tdavis@basement basement]$ echo "hello world" > test.html

http://basement.dnsalias.net/basement/test.html

"Forbidden -- You don't have permission to access /basement/test.html on this server."

Gah! Perhaps Apache is configured to not follow symbolic links.

Nope, I see "FollowSymLinks" for the root level directories in the config file.

Perhaps I screwed up the permissions on my file or home directory.

[tdavis@basement basement]$ ls -al
total 24
drwxrwxr-x   2 tdavis tdavis 4096 May 26 21:33 .
drwx------  17 tdavis tdavis 4096 May 26 21:21 ..
-rw-rw-r--   1 tdavis tdavis   12 May 26 21:34 test.html

Yup, that looks like it. My home directory is locked up.

[tdavis@basement basement]$ chmod 755 ..
[tdavis@basement basement]$ ls -al
total 24
drwxrwxr-x   2 tdavis tdavis 4096 May 26 21:33 .
drwxr-xr-x  17 tdavis tdavis 4096 May 26 21:21 ..
-rw-rw-r--   1 tdavis tdavis   12 May 26 21:34 test.html

Hmm, that didn't fix it. Perhaps Apache needs to be restarted. I can't imagine that's the case, but my Unix-fu is very rusty, so I might as well try.

[tdavis@basement basement]$ sudo /sbin/service httpd restart
Stopping httpd: [  OK  ]
Starting httpd: [  OK  ]

Note that I used the RedHat convenience tool "service" this time. But alas it did not solve the problem. I still can't access my test page.

Hmm, I have a theory that /var/www/html is not the correct directory. My first clue is that it's empty yet Apache is serving a default page.

[tdavis@basement ~]$ find / -name index.html >find 2>errors; cat find
/var/www/usage/index.html
/var/www/manual/index.html
...
..
.

115 files and none of them look to be my target. Grr. OK, Apache, you've won this battle, but I'll be back to fight another day. Mark my words!

PostgreSQL Woes, Part Six

Thu, 26 May 2005 21:53:10 GMT

Alright, I hope this will be my last session with PostgreSQL for the time being. There's two last things I want to bang out before I move on the PHP experimentation: indexes and referential integrity.

basement=> \d users
                        Table "public.users"
  Column  |  Type   |                   Modifiers                    
----------+---------+------------------------------------------------
 username | text    | 
 password | text    | 
 e-mail   | text    | 
 id       | integer | not null default nextval('users_id_seq'::text)
Indexes:
    "users_pkey" primary key, btree (id)
    "e-mail_key" unique, btree ("e-mail")
    "username_key" unique, btree (username)

Good, my table is still there. Ya never know. My initial plan was to add an index to username, but I now see that it already has one as a result of its unique constraint. For the purposes of this experiment, I'm going to index password too.

http://www.postgresql.org/docs/8.0/interactive/indexes.html

Looks simple enough...

basement=> create index password_index on users (password);
CREATE INDEX
basement=> \d users
                        Table "public.users"
  Column  |  Type   |                   Modifiers                    
----------+---------+------------------------------------------------
 username | text    | 
 password | text    | 
 e-mail   | text    | 
 id       | integer | not null default nextval('users_id_seq'::text)
Indexes:
    "users_pkey" primary key, btree (id)
    "e-mail_key" unique, btree ("e-mail")
    "username_key" unique, btree (username)
    "password_index" btree ("password")

And it is! Excellent. Now let's try some referential integrity. First I need a second table so I can tie the two together...

basement=> create table toy ( id serial primary key, userid integer, name text );
NOTICE:  CREATE TABLE will create implicit sequence "toy_id_seq" 
    for "serial" column "toy.id"
NOTICE:  CREATE TABLE / PRIMARY KEY will create implicit index 
    "toy_pkey" for table "toy"
CREATE TABLE
basement=> \d toy
                           Table "public.toy"
 Column |  Type   |                      Modifiers                      
--------+---------+-----------------------------------------------------
 id     | integer | not null default nextval('public.toy_id_seq'::text)
 userid | integer | 
 name   | text    | 
Indexes:
    "toy_pkey" primary key, btree (id)

Fantastic. Now I need to tie toy.userid to users.id. Hmm, I can't find any clear documentation on the syntax for this, but there is one example on this page:

http://www.postgresql.org/docs/8.0/interactive/sql-altertable.html

I'll just copy it and see what comes of it...

basement=> alter table toy add constraint toy_user_id_fk foreign 
    key ( userid ) references users ( id ) match full;
ALTER TABLE
basement=> \d toy
                           Table "public.toy"
 Column |  Type   |                      Modifiers                      
--------+---------+-----------------------------------------------------
 id     | integer | not null default nextval('public.toy_id_seq'::text)
 userid | integer | 
 name   | text    | 
Indexes:
    "toy_pkey" primary key, btree (id)
Foreign-key constraints:
    "toy_user_id_fk" FOREIGN KEY (userid) REFERENCES users(id) MATCH FULL

OK, that looks right. But I'm going to look up that "match full" part for good measure... hmm, that was harder to find than I expected, but it's buried at:

http://www.postgresql.org/docs/8.0/interactive/sql-createtable.html

... and it reads as, "MATCH FULL will not allow one column of a multicolumn foreign key to be null unless all foreign key columns are null. MATCH SIMPLE allows some foreign key columns to be null while other parts of the foreign key are not null. MATCH PARTIAL is not yet implemented."

Hmm, interesting. Not really apropos in my test since I'm not using a multicolumn foreign key, but I'm glad I stumbled onto it so I'm wary of it if and when I need it.

And that concludes my quick and dirty immersion into PostgreSQL. I'll be coming back to it when it's time to start building the "real deal", but for now I'm going to move on to PHP and see what exciting new headaches it has in store for me...

Jury Duty

Wed, 25 May 2005 18:38:23 GMT

I'm 33 years old and have never been summoned for jury duty... until now. I've heard a few horror stories about it. Tomorrow I have to schlep down to the courthouse and experience it for myself. I'm rather apathetic about it. I don't care about losing a day of work. I'm interested to see what it's like. But I'm neither excited nor depressed about it. The only thing I don't want to do is sit on my ass all day waiting for my number to be called. I'll have a couple books with me. I wonder if I can get my iPod past security.

Screw Frameworks

Wed, 25 May 2005 13:07:41 GMT

The last few weekends I've been reading about PHP frameworks. I've come to realize the following:

- Nobody agrees on which ones are "good".

- Nobody agrees on what a "good" framework should do.

And the more I think about it, the more I realize that using a framework is going to defeat my goal of learning PHP. A framework is going to abstract all the knitty gritty and prevent me from knowing what's really going on. Sure, a "good" framework should technically allow me to get my project implemented quickly and painlessly, which is one of my goals, but in this case I'm willing to endure a little pain to get my hands dirty. I won't be using a framework. I'm going to be reinventing some wheels.

But before I get to the coding, I have at least one more session with the database, which should be my next entry.

And after my feet are sufficiently wet with database and php moisture, I'll need to set up some revision control system.

PostgreSQL Woes, Part Five

Tue, 24 May 2005 15:49:13 GMT

Now that I've created a table, how do I review it? What's the command to show me the table design? I'm not having any luck with the documentation. I listed all the available commands. The obvious ones didn't do what I expected...

basement=> \h analyze
Command:     ANALYZE
Description: collect statistics about a database
Syntax:
ANALYZE [ VERBOSE ] [ table [ (column [, ...] ) ] ]

basement=> \h explain
Command:     EXPLAIN
Description: show the execution plan of a statement
Syntax:
EXPLAIN [ ANALYZE ] [ VERBOSE ] statement

basement=> \h show
Command:     SHOW
Description: show the value of a run-time parameter
Syntax:
SHOW name
SHOW ALL

Ah! I stumbled upon it quite by accident...

basement=> \d users
                        Table "public.users"
  Column  |  Type   |                   Modifiers                    
----------+---------+------------------------------------------------
 username | text    | 
 password | text    | 
 e-mail   | text    | 
 id       | integer | not null default nextval('users_id_seq'::text)
Indexes:
    "users_pkey" primary key, btree (id)
    "e-mail_key" unique, btree ("e-mail")
    "username_key" unique, btree (username)

Hmm, what is that "::text" after the sequence reference? That's a cause for concern. The sequence should be a series of integers. What does that suffix mean?

http://www.postgresql.org/docs/8.0/interactive/sql-createsequence.html

The documentation is no help. Searching comes up dry as well. Grr. Something is fishy, and I don't like it.

Let's create a temporary test table using the "serial" data type then see what it dumps...

basement=> create table harbinger ( magic serial );
NOTICE:  CREATE TABLE will create implicit sequence "harbinger_magic_seq" 
    for "serial" column "harbinger.magic"
CREATE TABLE
basement=> \d harbinger
                            Table "public.harbinger"
 Column |  Type   |                          Modifiers                           
--------+---------+--------------------------------------------------------------
 magic  | integer | not null default nextval('public.harbinger_magic_seq'::text)

Hmm, it also has the "::text" suffix. OK. I'm not going to worry about that any more for now.

Oh yeah, I need to clean up...

basement=> drop table harbinger;
DROP TABLE

But wait a second. It said it was creating the implicit sequence for me. When I dropped the table, did it clean up the orphaned sequence too?

basement=> \d harbinger_magic_seq
Did not find any relation named "harbinger_magic_seq".

Good boy! Ah, I should be able to check out my users id sequence as well...

basement=> \d users_id_seq
Sequence "public.users_id_seq"
    Column     |  Type   
---------------+---------
 sequence_name | name
 last_value    | bigint
 increment_by  | bigint
 max_value     | bigint
 min_value     | bigint
 cache_value   | bigint
 log_cnt       | bigint
 is_cycled     | boolean
 is_called     | boolean

Excellent. No "text" in there that I can see. I guess I'll never know what that suffix meant :-\

PostgreSQL Woes, Part Four

Tue, 24 May 2005 00:15:33 GMT

Now that I've got an operational, I'm ready to create some tables...

http://www.postgresql.org/docs/8.0/interactive/ddl.html#DDL-BASICS

[tdavis@basement ~]$ psql basement
Welcome to psql 7.4.8, the PostgreSQL interactive terminal.

Type:  \copyright for distribution terms
       \h for help with SQL commands
       \? for help on internal slash commands
       \g or terminate with semicolon to execute query
       \q to quit

basement=>

Ah, good, everything still works. Not that I had any doubts, of course...

basement=> create table Users();
CREATE TABLE
basement=> select * from Users;
  
--
(0 rows)

Excellent.

Yeah, I'm pluralizing the names of the tables. I'm intimately familiar with the debates. That's the way I'm doing it for this project. So sue me :-P

basement=> alter table Users add column Username text;
ALTER TABLE
basement=> alter table Users add column Password text;
ALTER TABLE
basement=> alter table Users add column E-mail text;
ERROR:  syntax error at or near "-" at character 31

Hmm, can't have a hyphen in a column name? Perhaps if I quoted the name. How do I do that? No help from the docs...

http://www.postgresql.org/docs/8.0/interactive/sql-altertable.html

So let's experiment...

basement=> alter table Users add column "E-mail" text;
ALTER TABLE

OK, that created the column, but did it include the quotes in the name? You never know.

basement=> select * from Users;
 username | password | E-mail 
----------+----------+--------
(0 rows)

That looks good... but wait a second. Why did it make "username" and "password" lowercase? Grr! OK, I'm not going to screw around with this case-sensitive crap. I'm going all lower-case...

basement=> alter table users rename "E-mail" to "e-mail";
ALTER TABLE
basement=> select * from users;
 username | password | e-mail 
----------+----------+--------
(0 rows)

That's more like it. Now how do I add an auto-incrementing primary key?

http://www.postgresql.org/docs/8.0/interactive/sql-createtable.html

Ah cool, there's a special type called "serial" that acts as shorthand for "integer DEFAULT nextval('tablename_colname_seq') NOT NULL"...

basement=> alter table users add column id serial;
NOTICE:  ALTER TABLE will create implicit sequence "users_id_seq" 
    for "serial" column "users.id"
ERROR:  adding columns with defaults is not implemented
HINT:  Add the column, then use ALTER TABLE SET DEFAULT.

Hmm, OK, let's try it the long way...

basement=> alter table users add column id integer default 
    nextval('users_id_seq') not null;
ERROR:  adding columns with defaults is not implemented
HINT:  Add the column, then use ALTER TABLE SET DEFAULT.

Grr...

basement=> alter table users add column id integer not null;
ERROR:  adding NOT NULL columns is not implemented
HINT:  Add the column, then use ALTER TABLE SET NOT NULL.

GRR!

basement=> alter table users add column id integer;
ALTER TABLE
basement=> alter table users alter column id set not null;
ALTER TABLE
basement=> alter table users alter column id set default 
    nextval('users_id_seq');
ALTER TABLE

A little more roundabout than I'd like, but supposedly I arrived at the correct destination. Did I get it all? Oh yeah, I need it to be the primary key...

basement=> alter table users add primary key (id);
NOTICE:  ALTER TABLE / ADD PRIMARY KEY will create implicit index 
    "users_pkey" for table "users"
ALTER TABLE

Let's test it...

basement=> insert into users ( username, password, "e-mail" ) 
    values ( 'tdavis', 'secret', 'trak3r@hotmail.com' );
ERROR:  relation "users_id_seq" does not exist

That's not good. Looks like I need to create a sequence...

http://www.postgresql.org/docs/8.0/interactive/sql-createsequence.html

basement=> create sequence users_id_seq;
CREATE SEQUENCE

Alright, now about that insert...

basement=> insert into users ( username, password, "e-mail" ) 
    values ( 'tdavis', 'secret', 'trak3r@hotmail.com' );
INSERT 17158 1

That looks promising...

basement=> select * from users;
 username | password |       e-mail       | id 
----------+----------+--------------------+----
 tdavis   | secret   | trak3r@hotmail.com |  1
(1 row)

Yeah baby!

Now we're cooking. Now I'm happy. I'm finally making progress. It's all downhill from here... yeah right.

Now how do I make the username and e-mail columns unique?

basement=> alter table users add constraint username_key unique(username);
NOTICE:  ALTER TABLE / ADD UNIQUE will create implicit index 
    "username_key" for table "users"
ALTER TABLE
basement=> alter table users add constraint "e-mail_key" unique("e-mail");
NOTICE:  ALTER TABLE / ADD UNIQUE will create implicit index 
    "e-mail_key" for table "users"
ALTER TABLE

Could it really be that easy? Let's test it...

basement=> insert into users ( username, password, "e-mail" ) 
    values ( 'tdavis', 'secret', 'trak3r@hotmail.com' );
ERROR:  duplicate key violates unique constraint "username_key"
basement=> insert into users ( username, password, "e-mail" ) 
    values ( 'tdavis2', 'secret', 'trak3r@hotmail.com' );
ERROR:  duplicate key violates unique constraint "e-mail_key"

Rawkin'!