Professional PHP Programming - Securing your PHP Installation (
Page 4 of 9 )
Securing the module and the
CGI version of PHP differs somewhat. Most options apply to both the module and
the CGI version, but there are some that are only applicable to the CGI version
of PHP. I will first discuss the options both installations have in common and
then the CGI specific options.
Common Configuration
Optionsauto_prepend_file stringThis configuration option is
very handy for automating common tasks, such as connecting to databases;
authenticating users or declaring often used functions. Chapter 22 (Templates)
has more information on the use of this option.
doc_root
stringThis configuration option is only used when PHP is running in safe
mode. When safe mode is in effect, PHP will not parse files outside this
directory.
engine booleanWith this option you can turn parsing
of PHP scripts by the PHP module on or off on a per-directory or per-virtual
host basis. You could combine this with Apache’s AddHandler/Action directives to
execute some scripts with the module and other scripts with the CGI version. The
CGI version could be running under the suEXEC mechanism. More information on
Apache’s suEXEC mechanism can be found later in this chapter.
If you turn
parsing of PHP scripts by the module off for a directory that contains PHP
scripts, please make sure that access to the scripts is disallowed or that the
CGI version will parse these scripts. If you don’t, the source of the scripts
will be sent to the browser. If the source contains passwords, this can become
major problem. It is better to be safe than sorry, so check the contents of a
directory before you turn the parsing of scripts off.
gpc_order
stringSet the order in which GET, POST and COOKIE data is parsed. For
instance, if you set this to “PG”, POST data will be parsed before GET data, so
the GET data will override the data that resulted from the POST and cookies will
not be parsed. The default is “GPC”.
include_path
stringSpecifies a list of directories where functions such as require,
include and fopen will look for files. The format is like the system’s PATH
environment variable. In UNIX you use a colon to separate multiple directories,
while in Windows you use a semicolon.
In UNIX you would use:
include_path = .:/websites/common:/websites/car2001
In Windows you would use:
include_path = .;c:\websites\common;d:\websites\car2001
open_basedir stringWith the use of the
open_basedir option you can limit which files can be opened from PHP
scripts.
When a script tries to open a file with, for example, fopen or
gzopen, the location of the file is checked. When the file is outside the
specified directory tree, PHP will refuse to open it. All symbolic links are
resolved, so it's not possible to bypass this restriction with a symbolic link.
If you use a single dot, PHP will only open files in the directory the
script is stored or any directory below it. You can specify multiple
directories, just like you can with include_path.
The default is to allow
all files to be opened.
max_execution_time integerThis allows
you to specify the maximum number of seconds a script is allowed to execute. If
a script takes longer, the PHP parser terminates it. When not in safe mode, you
can use the set_time_limit function to change this setting from a running
script. For example, if the script has been running for 10 seconds and the
set_time_limit function is called with a value of 30, the script will be allowed
to run 40 seconds. Note that the amount of CPU time consumed is not taken into
account. Even if the script does nothing for 40 seconds PHP still terminates
it.
By default, a script is allowed to run 30 seconds. If you set the
time limit to zero, either using this option or the set_time_limit function, no
time limit is imposed on the script.
memory_limit integerWith
the memory_limit option you can limit the amount of memory (in bytes) a script
can use. You can only use memory limits if you have compiled PHP with support
for it. In contrast to a time limit, you cannot change the amount of memory a
script can use from the script itself. It can only be done from the PHP
configuration file.
memory_limit = 204800 # Let the scripts use up to 200
KB of memory
safe_mode booleanThis option turns PHP’s safe
mode on or off. When PHP is run in safe mode, PHP will impose several security
limitations on scripts.
safe_mode_exec_dir stringWhen safe
mode is in effect, PHP will only allow you to execute programs from the
specified directory.
sql.safe_mode booleanMySQL has it’s own
safe mode. If you set this to TRUE, mysql_connect and mysql_pconnect will ignore
any host, user and password information you supply. This means you can only
connect to the MySQL database as the user the web server is running
as.
upload_tmp_dir stringThis specifies where PHP should place
files that are being uploaded.
user_dir stringThis is the
directory PHP will look for scripts in a users home directory. Normally you will
use the value you have also used for the UserDir directive in the Apache
configuration (usually public_html), but you could also use other values. For
instance, if you set this to public_html/php, then PHP scripts need to be
located in the php subdirectory of public_html in order for PHP to parse
them.
Database Specific OptionsMost of the database modules
have several options that may increase the availability of your application. The
two most common options are max_persistent and max_links. Check the
documentation of the particular database you are using to see which options are
supported.
max_persistent integer
Allows you to set the maximum number
of persistent connections a single process can open at any one time. If you set
this value to 3 and you have set the number of webservers Apache is allowed to
start to 50, you could end up with 150 persistent connections. Please make sure
your database can handle this.
max_links integer
Allows you to set the
maximum number of database connection a script can have. This includes both
normal and persistent database connections. Don’t set this too high, as your
database may not be able to handle the sheer volume of
connections.
Using Safe ModeRunning PHP in safe mode is a
great way of making the use of PHP scripts safer, especially if you allow users
to develop and run their own PHP scripts. Turning on safe mode will cause PHP to
check a number of this before executing functions that could possibly be a
security risk.
Include, ReadFile, Fopen, File, Unlink, RmDir, etc.
The
owner of file to be included must either be the same as the owner of the script
running or the directory in which the file resides must be owned by this user.
Exec, System, PassThru, etc.
Programs to be executed must reside in
a special directory (the default is /usr/local/php/bin). You can set this value
before compiling PHP with the --with-exec-dir option.
Mysql_Connect
This function takes an optional username to use to connect to an MySQL
database. When in safe mode, this username must either be the username of the
owner of the current file being parsed, or the name of the httpd user (usually
nobody).
HTTP Authentication
The numerical user id of the owner of
the script containing the HTTP Authentication code will be prepended to the
authentication realm. This is to prevent someone from writing a password.
©1998
Wrox Press Limited, US and UK.
