dcsimg

Real-World Windows 2000 Configuration: Getting Apache, PHP, MySQL, and phpMyAdmin to Work Together, Part 2 Page 2

By Scott Beatty (Send Email)
Posted Aug 7, 2002


Log Files

Using the previously described configurations, Apache, PHP, and MySQL will generate the following log files:

C:\Apache\logs\error.log
C:\Apache\logs\access.log
C:\Apache\logs\ssl.log
C:\php_log\php_errors.log
C:\mysql\data\mysql.err

The Apache manual has a section titled Log Files.

Chapter 16 of the PHP documentation covers Error Handling.

Section 4.9 of the MySQL manual describes the MySQL log files and their maintenance.

Like the database dumps described above, you can create a batch file and use the Scheduled Tasks tool to run regular backups of your log files.

Once your site is online, one of the programs that can be used to analyze Apache log files is AWStats. It requires Perl.

Controlling File Access at the OS Level: Windows 2000 NTFS and File-Sharing Permissions

My hard drive partitions are formatted NTFS. This allows the setting of access permissions to folders (AKA directories) and files.

I gave the MySQL install directory, C:/mysql, the following permissions in Windows 2000:
     Administrator - Full Control
     Everyone - Full Control
But I did not share the folder.

The minimum permissions for Everyone that I could find that still allowed me to start the MySQL service are:
     Everyone - Special*:
                          - Traverse Folder / Execute Data
                          - List Folder / Read Data
                          - Read Attributes
                          - Read Extended Attributes
(*click the Advanced button on the Security tab in the mysql Properties dialog)
With just these permissions I was able to submit a SELECT query to a MySQL table, but I was not able to make changes, such as INSERT, to it (because it was read-only).

The batch file that I created for database dumps, as described earlier, is located in the C:\mysql\bin directory. It contains a username and password. This file is located in a directory that is not shared; however, for extra security, perhaps, individual permissions can be set for the file. I was able to run a scheduled task that executes this batch file with the only user granted access to this file being an administrator with Full Control. To set the security for the file, right-click it in Windows Explorer, select Properties, and then the Security tab.

Similarly, individual tasks listed in the Scheduled Tasks tool can also be assigned security settings. Right-click the task, select Properties, and then the Security tab. I was able to run a mysqldump batch file task with just an administrator having Full Control of the task.

I log in to Windows as an administrator to do development work, including working with MySQL via phpMyAdmin.

Regarding Apache, some factors to consider include the following settings and permissions for the document root, i.e., C:\Apache\htdocs (allow changes to propagate to its subfolders):

  • After you are done developing your site (otherwise you won't be able to edit the files) set it to read-only.
  • Do not share it.
  • Remove Everyone as a user. Set up an administrator as a user with Full Control.
  • Disable "Allow inheritable permissions from the parent to propagate to this object."

Regarding PHP and the directory where you keep your include files (e.g., C:\phpinc): consider the same settings and permissions for it as were used for Apache's document root.

In my opinion, this subject of file and directory permissions for running Apache, PHP, and MySQL on Windows 2000 (or NT) is not sufficiently documented. Please do not consider the information presented here as authoritative, but rather as explorative.

If this is the first time the subject has been brought to your attention, you can now explore it on your own, and find what works best for your situation.

As to general Windows security, in July 2002 the Center for Internet Security released benchmarks and a scoring tool for Windows 2000 and NT. They can be obtained at: http://www.cisecurity.org/bench_win2000.html. Also, a benchmark for the Apache Web Server is under development.

Closing Comments

The approach shared in this article is obviously not the only way to go, but it is one up-to-date way that works in Windows 2000 and is presented here for educational purposes. There is still much to learn. It is a challenge to put all the pieces together, and less information is available when doing it on Windows.

Also note that new versions of software come out, and they might bring changes that invalidate some of the information in this article. In addition, sometimes new software brings with it bugs that break things that were working before.

Discuss this article in the ServerWatch discussion forum

Page 2 of 2


Comment and Contribute

Your name/nickname

Your email

(Maximum characters: 1200). You have characters left.