Checking permissions and PHP settings

This page performs various checks to see if your webserver matches what CMSMS needs. Additionally, we display some server information for reference purposes.

The information described in this page also pertains to the "System Information" page in your installation, and the tests performed when performing a major version upgrade of CMS Made Simple.

The tests are devided into "Required" and "Recommended" tests. Your configuration must pass all of the "Required" tests before the installation will continue. Though installation can still continue if your configuration fails one or more of the "Recommended" tests.

If your system fails a test you may be able to adjust your php or apache configuration settings by adjusting either a php.ini file or a .htaccess file depending on your site configuration.

   System Information:

This section displays some basic information detected about your server. Your information may look similar to this:

server_info.png

   Required settings:


  Check for the required PHP version

Checking for PHP version 5.4.11+

This test ensures that the PHP version you are using meets the minimum requirements for CMSMS. A recommended version will also be displayed.

Some commercial hosts support multiple versions of php. If by default your system does not meet the minimum, or recommended settings you may be able to enable a newer version by adjusting a configuration file.

CMSMS currently requires a minimum of PHP 5.4.11 and recommends PHP 5.5.2 or greater. Upcoming versions of CMSMS will require PHP 5.6 or greater.


  Checking for md5 Function

This test ensures that the md5 checksum capability is built into CMSMS. This is used for creating unique filenames, for securing password, and numerous features within CMSMS. If this function is not available you may need to contact your hosts administrator.

  Checking for GD library

The "GD" library for php provides graphics processing capabilities. CMSMS uses this library to generate thumbnails of uploaded images. It must be correctly installed for CMSMS to operate.


  Checking write permission on config.php

Though during normal operations it is not recommended for the web server process to have write access to the config.php file, during the installation process write permission is required.


  Checking for tempnam Function

the tempnam function is a php function used for generating unique temporary filenames. Some hosts disable the use of this function, but it is used in some places in CMSMS.

  Magic quotes in runtime

"Magic Quotes" is a feature that automatically escapes incoming strings. This feature is deprecated in PHP 5.3.x and removed in PHP 5.4. CMSMS requires that this function be disabled.

You may be able to disable magic quotes in your installation with these php.ini settings:

magic_quotes_gpc = Off
magic_quotes_runtime = Off

  DB drivers

This test ensures that your php environment is configured with at least one database driver that is compatible with CMS Made Simple.

If you do not have any suitable database drivers available you will have to look up how to install them in your particular environment, or contact your host administrator.


  Checking if the httpd process can create a file inside of a directory it created

It is critical for the operation of CMS Made Simple that the httpd process owner be able to create a directory inside the installation, and then create a file within that directory. This is used for operations like uploading files, and creating thumbnails.

If this test fails you will need to:

  • Ensure that PHP's safe mode is off.
  • Check the file creation mask (umask), or
  • Contact your host's administrator to resolve this difficulty.

  Performance and Tuning Information (recommended settings, but not required)


  PHP 5.5+ Opcode Cache

An opcode cache will 'compile' each PHP file into a format that is faster and easier for machines to read and execute. These compiled files are normally stored in memory. Our testing shows that when using an opcode cache processing time can be reduced by 50% or more, and memory usage for each request can be reduced by 60% or more. This directly improves the performance of your website, and reduces server load.

PHP 5.5 and greater includes by default the Zend opcode cache (opcache). Other opcode caches include XCache and APC. However since the zend opcache is officially part of PHP we recommend it.

The opcache can only be enabled at the server level. However it can be disabled at the directory level in the .htaccess file So if your opcache is not enabled there are two steps to perform:

  1. Review all of your .htaccess files and ensure that there are no values like:
    php_flag opcache.enable Off
  2. Contact your system administrator (or host if using a shared host) and talk to them about enabling the opcache at the php level.

  Recommended Settings:


  Testing error_reporting to ensure E_STRICT is disabled

E_STRICT is an error level setting that, if enabled may report errors about pieces of code that do not meet strict PHP standards. The CMSMS Dev team endeavors to ensure that the core package is developed to strict standards, however third party programmers may not. Therefore we recommend you disable this feature in order to prevent some possibly distracting error messages from appearing on your website or in the CMSMS admin console.

You may be able to disable E_STRICT in your installation with this php.ini settings:

error_reporting = E_ALL

For production environments, we recommend that the error reporting be set to:
error_reporting = E_ALL & ~E_NOTICE & ~E_DEPRECATED


  Testing error_reporting to ensure E_DEPRECATED is disabled

Similar to E_STRICT, E_DEPRECATED is an error level setting that, if enabled, may report errors about pieces of code that are using older methods of PHP development.

Some situations may exist in the CMSMS core where we are using code that causes E_DEPRECATED notices due to backwards compatibility issues. As well, there may be similar situations with third party modules or plugins. Therefore we suggest you disable this feature.

You may be able to disable E_STRICT in your installation with this php.ini settings:

error_reporting = E_ALL & ~E_DEPRECATED

   Checking PHP memory limit

The PHP memory limit is the amount of RAM that the httpd process allows php to allocate for processing requests. CMSMS requires a minimum of 16 megabytes of RAM and recommends 24MB or greater for most environments.

The amount of memory recommended is for a minimal installation of CMS Made Simple, and is based on numerous tests and experiments in various environments. Your environment may require more memory.

Additionally, this recommendation is for a core installation only. Installing more addon modules or User defined tags after the installation will require more RAM. Additionally, you may require more memory to perform some operations in those addon modules (such as sending bulk emails, displaying hundreds of records from the database, manipulating graphics etc.)

You may be able to adjust your php memory limit with this php.ini setting:

memory_limit = 24M

Or add to your config.php file:

ini_set("memory_limit", "24M");

   Checking PHP time limit in seconds

This test checks the amount of time that the httpd process will allow a script to execute. Though most normal requests should be done well within 30 seconds some requests (such as uploading files, or manipulating graphics) may take longer. CMSMS Recommends that this limit be at least 60 seconds.

You may be able to adjust your max execution time with this php.ini setting:

max_execution_time = 120

Or add to your config.php file:

ini_set('max_execution_time', 120);

   Checking PHP register globals

This test ensures that the php directive register_globals is off to minimize security issues, and to ensure the proper execution of the system.

You may be able to adjust this value with this php.ini setting:

register_globals = off

   Checking output buffering

Output buffering is a mechanism for controlling how much output data (excluding headers and cookies) PHP should keep internally before pushing that data to the client. Having this value set too small may slow down page generation. A value of 4096 (bytes) is recommended.

You may be able to adjust this value with this php.ini setting:

output_buffering = 4096

   Checking PHP disable functions

For security reasons, some hosts disallow PHP scripts from executing some functions. Typically these functions are for executing commands or running programs on the host, and usually does not effect the operation of the CMSMS core.

You should be aware of these disabled functions, and therefore know about any particular errors that may come up. If it is due to one of these functions you may need to contact your host to have this list adjusted.


   Checking for safe mode

Safe mode is an attempt to solve the shared host security issue. It disables numerous more functions, and causes other restrictions on filesystem interactions.

Under most shared server environments, individual accounts are not permitted to disable safe mode. You will probably need to contact your host.

Although the safe mode test falls under a "recommended" test, and the installation is allowed to proceed in a safe mode environment, use of CMSMS under safe mode is NOT SUPPORTED. Any support issues regarding an install operating in safe mode will be ignored. Proceed at your own risk.


   Check for PHP Open Basedir

This setting limits the files that can be opened by PHP to the specified directory-tree, including the file itself. It is used as a security mechanism on many shared hosts. Unfortunately it is often very restrictive.

Under most shared server environments, individual accounts are not permitted to disable or adjust this setting. You will probably need to contact your host.

Although the Open Basedir test falls under a "recommended" test, and the installation is allowed to proceed, use of CMSMS under this environment is not supported. Any support issues regarding an install operating with this setting may be ignored unless it can be illustrated that the issue is not a result of this setting. Proceed at your own risk.


   Test for remote URL

This test checks if your installation is capable of performing an HTTP request to a remote host. This functionality is used within the core for things as checking or new versions of CMSMS, and for downloading module packages.

If your host does not allow outgoing connections (for example if you are installing CMSMS from within an intranet) you can still proceed with the installation, however some functionality will not operate. Additionally, some third party addons may depend on this capability.


   Checking file uploads

This test checks if PHP's file upload capability is enabled. Without this capability a considerable amount of functionality within CMSMS will not function.

You may be able to adjust this value with this php.ini setting:

file_uploads = On

   Checking max post size

This test checks the maximum amount of data that PHP will accept in one POST request. POST requests are used for submitting forms (such as content pages, or templates), for ajax request and for file uploads. CMSMS requires a minimum of 2MB, but recommends 10MB or greater.

This setting should be greater than or equal to the "max upload file size" setting.

When allowing large post sizes you may need to adjust the "php time limit" setting to allow for the time of uploading larger files over slower remote connections.

You may be able to adjust this value with this php.ini setting:

post_max_size = 10M

   Checking max upload file size

This test reports the size of the largest file that PHP will allow to be uploaded. You should ensure that this value is large enough to accommodate the files your site will need to handle. For most web ready images, 2MB may be suitable, but for videos, PDF files or videos 2MB is insufficient.

You may be able to adjust this value with this php.ini setting:

upload_max_filesize = 10M

   Checking if uploads folder is writable

This test reports if the "uploads" folder underneath your installation is writeable by the httpd process. This functionality is required for file uploads to work, and for the normal operation of many addon modules.

If this test fails, you may need to recursively change the permissions of this folder.

chmod -R a=rwX uploads

   Checking if uploads/images folder is writable

This test reports if the "images" folder underneath your uploads folder in the installation is writeable by the httpd process. This functionality is required for file uploads to work, and for the normal operation of many addon modules.

If this test fails, you may need to recursively change the permissions of this folder.

chmod -R a=rwX uploads/images

   Checking if modules folder is writable

This test reports if the "modules" folder in the installation is writeable by the httpd process. This functionality is required for module manager, and XML module uploads to work.

If this test fails, you may need to recursively change the permissions of this folder.

chmod -R a=rwX modules

   Checking if session.save_path is writable

The session save path is where PHP will temporarily store data that is related to each visitors session (when sessions are saved as files). The HTTPD process needs to be able to write to this directory to save your visitors session information.

If your session.save_handler is equal to "files" and the Open Basedir restriction is in effect then the PHP process may not be able to store your users sessions properly. CMSMS will not operate properly under these conditions. You can try the following setting in your php.ini

session.save_path = <install dir>/tmp/cache

   session.use_cookies

This test checks that php will store the unique session identifier (a randomly generated string) will be stored as a "session cookie" on your browser and transmitted back to the website for each request.

CMS Made Simple makes extensive use of session data to store temporary user information. We rely on the session being available, particularly for access to the admin console.

While this option is not strictly mandatory, we believe that you will have extreme difficulty working with the CMSMS admin panel if it is not enabled. Additionally, some third party modules rely on the session for their frontend functionality. Any support issues regarding an install operating with this setting may be ignored unless it can be illustrated that the issue is not a result of this setting.
Proceed at your own risk.

If this setting is disabled, you may be able to it's value with this php.ini setting:

session.use_cookies = 1

   Checking for basic XML (expat) support

This test checks for the "xml" php extension. XML support is required for functions such as installing themes, installing modules and by some third party modules. Although the installation can continue without this extension some functionality may fail.


   Checking if the XMLReader class exists

The XMLReader class is a class created as an extension in PHP5 that provides simpler ways of interacting with XML files. Although the installation can continue without this extension, some functionality may fail.


   Checking for file_get_contents

This test ensures that the file_get_contents PHP function is defined, and not disabled. This function is used in various locations in CMSMS and in third party addons to read the contents of an entire file, or URL into memory.


   Checking if ini_set works

This test sees if php code can adjust some of the above settings at runtime. Some code that does processor intensive operations, or time consuming operations may attempt to override some php settings at runtime to attempt to ensure the success of the operation.

If this test fails it does not mean that CMSMS will not operate. However it may mean that some operations will fail, and require further configuration from you before they can succeed.


   Test for the curl library

This check tests for the availability of the curl php extension. The curl library is the preferred method of communicating with outside hosts. Though not strictly necessary for the use of CMSMS it is advised that it be enabled.


   Test curl version

Earlier versions of the curl library had some bugs that prevented it from working correctly. This test ensures that your curl library (if enabled) is new enough to not encounter those issues.


   Legend


The installation, upgrade, and system information all display icons next to each row to indicate the status of the test, and to provide assistance. Here is the meaning of each of those icons.

Symbol Definition
A test passed A test passed
A test failed A test failed
A setting is above the required value, but below the recommended value A setting is above the required value, but below the recommended value, or...
A capability that may be required for some optional functionality is unavailable
Info Installation Troubleshooting Info Installation Troubleshooting

   Additional Information


   Mod Security

Apache's Mod Security is an application level firewall that is used by many web hosts to attempt to increase security on their servers.

The CMSMS Dev team has seen numerous problem reports representing frequent difficulty with accessing the website or performing some functions. Additionally, due to the arbitrary nature of the firewall rules and frequent false positive problems the use of CMSMS in an environment where Mod Security is enabled is not supported.

Unfortunately, it is frequently difficult to diagnose whether a problem you are encountering is related to Mod Security or not. So please ensure that this firewall is disabled for your website before reporting issues.

   References