A number of CVEs were assigned to various PHP applications recently regarding error logging being printed to the web browser, which can be used to expose path information, etc. One such example is in Drupal7 (bug #741389). Turns out our default PHP installation disables error logging completely, so this isn't really a big deal for us -- unless the user enables it. In the course of discussing it, it came up that it might be nice if our PHP enabled error logging by default, across the board, to a predictable log file such as /var/log/httpd/php-errors.log or something similar. Doing this might keep a user from enabling error logging that goes to the browser (since it would already be enabled, and going to a log file; using log_errors rather than display_errors). We could go a step further and include a log rotation script for this file as well, so that it doesn't grow out of hand (treat it like any other log file). The obvious benefits are that error logging is enabled and we already have a non-browser location specified, so a user wouldn't enable logging (i.e. debugging a PHP app) and then neglect to set the log location (which would have it go to the browser by default). We already have log_errors = On defined, but don't specify a location to log to. All we need to do is set error_log to something (our default is set to nothing, which doesn't make much sense if log_errors is on).
On a side note, I did realize after-the-fact that log_errors being on, and without an error_log defined, will put PHP errors/warnings into the Apache logs (since we have LogLevel warn defined). I still think that a system-wide default makes sense as well, though.
What do you mean by "system wide default"? /etc/php.ini is the system wide default. For the cgi/cli SAPI, it will log to stderr by default. For mod_php, it will log to the httpd error log as determined by the the httpd configuration. Why/how would you change either of those things, and how would it help? I think this conversation would be better on the fedora-php-devel-list.
By system-wide default I meant a configuration change in php.ini to have a single file to contain all the php errors (rather than splitting it into other files, like the apache logs which on some hosts could be quite a few different files resulting in many places to look rather than one single place to look). I also didn't realize that these were being logged in the apache logs until after I had filed the bug. By enabling error_log, when used on the CLI or mod_php, errors will get logged to the defined log file (i.e. /var/log/httpd/php_errors.log). That doesn't replace stderr for the CLI. It may be an additional location for mod_php; I'm not sure if it prevents logging to the apache log file. The idea is to give users a predictable place to look for errors so that they don't do silly things like enable display_errors (which, lame as it is, resulted in over 120 CVE name assignments for various PHP apps). This is an attempt to find a solution that can be looked at as a default predictable place to find these errors across-the-board.
I really can't see how this is appropriate/feasible. You don't want to have a log file which is writable both by any user of the php cli and mod_php, it would by unreliable/insecure by definition, since the cli can be invoked by unprivileged user. Example given, /var/log/httpd is only writable by root. I don't particularly see a problem with the status quo, and absent any concrete proposal on what to change I don't want to leave this open indefinitely... ideas still welcome, of course!
No problem; it's been open for a while and whether we provide a more sane default or not, the administrator has the power to do this (and a good admin will do this). I can't think of anything more clever other than perhaps having it log to the apache logs by default, but that's also easily enough done. One idea might just be some additional documentation in php.ini making users (who may not know better) aware of some options.