php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #37759 OCIEnvNlsCreate() failed
Submitted: 2006-06-09 08:06 UTC Modified: 2006-08-09 13:00 UTC
From: christian dot schaffer at muenchen dot de Assigned:
Status: Not a bug Package: OCI8 related
PHP Version: 5.1.4 OS: Solaris 10
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: christian dot schaffer at muenchen dot de
New email:
PHP Version: OS:

 

 [2006-06-09 08:06 UTC] christian dot schaffer at muenchen dot de 
Description:
------------
OCIEnvNlsCreate() failed. There is something wrong with your system - please check that ORACLE_HOME is set and points to the right directory in <file>.php

Configure line is:
#!/bin/sh
#
/localdata/build/php/php-5.1.4/configure \
--enable-bcmath \
--enable-calendar \
--enable-ctype \
--enable-dbase \
--enable-discard-path \
--enable-exif \
--enable-filepro \
--enable-force-cgi-redirect \
--enable-ftp \
--enable-gd-native-ttf \
--enable-magic-quotes \
--enable-mbstring \
--enable-memory-limit \
--enable-safe-mode \
--enable-shmop \
--enable-sigchild \
--enable-sysvsem \
--enable-sysvshm \
--enable-versioning \
--enable-wddx \
--with-bz2 \
--with-dom \
--with-libxml-dir=/opt/csw \
--with-gettext=/opt/csw \
--with-jpeg-dir=/opt/csw \
--with-ldap=/opt/csw \
--with-mysql=/opt/csw/mysql5 \
--with-ndbm \
--with-pgsql=/opt/csw/postgresql \
--with-png-dir=/opt/csw \
--with-iconv=/opt/csw \
--with-tiff-dir=/opt/csw \
--with-ttf=/opt/csw \
--with-freetype-dir=/opt/csw \
--with-xpm-dir=/opt/csw \
--with-zlib=/opt/csw \
--with-gd=/opt/csw \
--with-oci8=/opt/oracle \
--with-apxs2=/opt/csw/apache2/sbin/apxs

System applies Oracle Client 10.2.0.1.0

Reproduce code:
---------------
$co = OciLogon(user,pass,sid);


Expected result:
----------------
Oracle connection establishes

Actual result:
--------------
Warning: ocilogon() [function.ocilogon]: OCIEnvNlsCreate() failed. There is something wrong with your system - please check that ORACLE_HOME is set and points to the right directory in /data/www/htdocs/const.php on line 120

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2006-06-12 10:49 UTC] tony2001@php.net 
The error message is pretty clear.
Not PHP problem.
 [2006-08-09 11:02 UTC] christian dot schaffer at muenchen dot de 
Problem only relevant with Oracle Client 10.2.x, not e.g. with 10.1.x. Caused by Oracle's overall strategy to tighten up security, the directory permissions are not appropriate for use with third-party software.

One-off patch for Solaris 10 (x64) is being developed.
 [2006-08-09 11:35 UTC] tony2001@php.net 
Could you elaborate plz?
This part the most interesting: "the directory permissions are not appropriate for use with third-party software".
 [2006-08-09 12:55 UTC] christian dot schaffer at muenchen dot de 
Oracle usually provides binaries for a choice of operating systems. The versions may differ in some aspects. Therefore, the following is applicable for Oracle Client 10.2.x on Solaris 10 (x64) only:
In 10.2.x, the directories below $ORACLE_HOME were not world readable any more. Users other than root or the oracle owner are not able to change into directories below $ORACLE_HOME, including the apache user "nobody".
[oracle/lib] # ll
Gesamt 298260
drwxr-x---   3 oracle   oinstall    2560 Aug  3 11:09 .
drwxr-x---  35 oracle   oinstall    1024 Aug  3 11:09 ..

Hence, building PHP 5.1.4 with oci8 support as root succeeded, because root is able to read into $ORACLE_HOME/lib during compile.

On the contrary, using oci8 functionality as nobody was not possible, because "nobody" is not allowed to read into the libs residing in e.g. $ORACLE_HOME/lib.

There are various ways of working around this issue:
1) Join apache user to oinstall group
This was discussed earlier in bug reports. I personally am not very fond of this workaround, though there probably won?t be a high security risc.
2) Change directory permissions manually
This was proposed by Oracle Support. I actually don?t like this idea too much either, because I don?t tend to mess with installations of closed source software. Someone certainly had reasons to do it the way it is done. Furthermore, no one was able to tell me, which directories to change permissoins of.
3) Apply patch delivered by Oracle
This is the solution, I like the most. Obviously, the problem occurred on other platforms already, because there are patches available. Unfortunately, for the Solaris 10 (x64) version, there is no patch available yet. Therefore, Oracle filed a One Off Backport request for me. The patch is under development at the moment.

To get my system runnig, I went back to Oracle Client 10.1.0.3. In this version, the directory permissions are set as follows:
[oracle/lib] # ll
Gesamt 298260
drwxr-xr-x   3 oracle   oinstall    2560 Aug  3 11:09 .
drwxr-xr-x  35 oracle   oinstall    1024 Aug  3 11:09 ..

Here, "nobody" is able to read into the $ORACLE_HOME/lib. PHP?s OCI8 functionality is working as desired.
 [2006-08-09 13:00 UTC] tony2001@php.net 
>1) Join apache user to oinstall group
I think this is the best solution.
At least, it's much better than changing ORACLE_HOME to be world-readable from security point of view.

I'd also suggest you to use Oracle Instant Client, which doesn't require ORACLE_HOME at all.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Fri May 17 03:01:32 2024 UTC