Home arrow PHP arrow Page 2 - Secure PHP Programming

Configuring PHP Securely - PHP

Long before a website goes live, you need to take its online security into consideration -- to be ready for the attackers even before they might gain access. This three-part article series will warn you of what to watch out for, particularly when configuring PHP, and help you to secure your website. It is excerpted from chapter 21 of the book Beginning PHP and Oracle: From Novice to Professional, written by W. Jason Gilmore and Bob Bryla (Apress; ISBN: 1590597702).

TABLE OF CONTENTS:
  1. Secure PHP Programming
  2. Configuring PHP Securely
  3. Other Security-Related Configuration Parameters
  4. Hiding Configuration Details
By: Apress Publishing
Poor Best
Rating: starstarstarstarstar / 1
August 12, 2010

print this article
SEARCH DEV SHED

TOOLS YOU CAN USE

advertisement

PHP offers a number of configuration parameters that are intended to greatly increase its level of security awareness. This section introduces many of the most relevant options.

Safe Mode

If you’re running a version of PHP earlier than PHP 6, safe mode will be of particular interest if you’re running PHP in a shared-server environment. When enabled, safe mode always verifies that the executing script’s owner matches the owner of the file that the script is attempting to open. This prevents the unintended execution, review, and modification of files not owned by the executing user, provided that the file privileges are also properly configured to prevent modification. Enabling safe mode also has other significant effects on PHP’s behavior, in addition to diminishing, or even disabling, the capabilities of numerous standard PHP functions. These effects and the numerous safe mode–related parameters that comprise this feature are discussed in this section.

Caution  As of version 6, safe mode is no longer available. See Chapter 2 for more information.

safe_mode = On | Off

Scope: PHP_INI_SYSTEM ; Default value: Off

Enabling the safe_mode directive places restrictions on several potentially dangerous language features when using PHP in a shared environment. You can enable safe_mode by setting it to the Boolean value of On , or disable it by setting it to Off . Its restriction scheme is based on comparing the UID (user ID) of the executing script and the UID of the file that the script is attempting to access. If the UIDs are the same, the script can execute; otherwise, the script fails.

Specifically, when safe mode is enabled, several restrictions come into effect:

  1. Use of all input/output functions (e.g., fopen() , file() , and require() ) is restricted to files that have the same owner as the script that is calling these functions. For example, assuming that safe mode is enabled, if a script owned by Mary calls fopen() and attempts to open a file owned by John, it will fail. However, if Mary owns both the script calling fopen() and the file called by fopen() , the attempt will be successful.
  2. Attempts by a user to create a new file will be restricted to creating the file in a directory owned by the user.
  3. Attempts to execute scripts via functions such as popen() , system() , or exec() are only possible when the script resides in the directory specified by the safe_mode_exec_dir configuration directive. This directive is discussed later in this section.
  4. HTTP authentication is further strengthened because the UID of the owner of the authentication script is prepended to the authentication realm. Furthermore, the PHP_AUTH variables are not set when safe mode is enabled.
  5. If using the MySQL database server, the username used to connect to a MySQL server must be the same as the username of the owner of the file calling mysql_connect() .

The following is a complete list of functions, variables, and configuration directives that are affected when the safe_mode directive is enabled:   

apache_request_headers()

mail()

backticks()and the backtick operator

max_execution_time()

chdir()

mkdir()

chgrp()

move_uploaded_file()

chmod()

mysql_*

chown()

parse_ini_file()

copy()

passthru()

dbase_open()

pg_lo_import()

dbmopen()

popen()

(continued)

dl()

posix_mkfifo()

exec()

putenv()

filepro()

rename()

filepro_retrieve()

rmdir()

filepro_rowcount()

set_time_limit()

fopen()

shell_exec()

header()

show_source()

highlight_file()

symlink()

ifx_*

system()

ingres_*

touch()

link()

unlink()

safe_mode_gid = On | Off

Scope: PHP_INI_SYSTEM ; Default value: 0ff

This directive changes safe mode’s behavior from verifying UIDs before execution to verifying group IDs. For example, if Mary and John are in the same user group, Mary’s scripts can call fopen() on John’s files.

safe_mode_include_dir = string

Scope: PHP_INI_SYSTEM ; Default value: NULL

You can use safe_mode_include_dir to designate various paths in which safe mode will be ignored if it’s enabled. For instance, you might use this function to specify a directory containing various templates that might be incorporated into several user Web sites. You can specify multiple directories by separating each with a colon on Unix-based systems, and a semicolon on Windows.

Note that specifying a particular path without a trailing slash will cause all directories falling under that path to also be ignored by the safe mode setting. For example, setting this directive to /home/configuration means that /home/configuration/templates/ and /home/configuration/passwords/ are also exempt from safe mode restrictions. Therefore, if you’d like to exclude just a single directory or set of directories from the safe mode settings, be sure to conclude each with the trailing slash.

safe_mode_allowed_env_vars = string

Scope: PHP_INI_SYSTEM ; Default value: "PHP_"

When safe mode is enabled, you can use this directive to allow certain environment variables to be modified by the executing user’s script. You can allow multiple variables to be modified by separating each with a comma.

safe_mode_exec_dir = string

Scope: PHP_INI_SYSTEM ; Default value: NULL

This directive specifies the directories in which any system programs reside that can be executed by functions such as system() , exec() , or passthru() . Safe mode must be enabled for this to work. One odd aspect of this directive is that the forward slash (/) must be used as the directory separator on all operating systems, Windows included.

safe_mode_protected_env_vars = string

Scope: PHP_INI_SYSTEM ; Default value: LD_LIBRARY_PATH

This directive protects certain environment variables from being changed with the putenv() function. By default, the variable LD_LIBRARY_PATH is protected because of the unintended consequences that may arise if this is changed at run time. Consult your search engine or Linux manual for more information about this environment variable. Note that any variables declared in this section will override anything declared by the safe_mode_allowed_env_vars directive.



 
 
>>> More PHP Articles          >>> More By Apress Publishing
 

blog comments powered by Disqus
   

PHP ARTICLES

- Hackers Compromise PHP Sites to Launch Attac...
- Red Hat, Zend Form OpenShift PaaS Alliance
- PHP IDE News
- BCD, Zend Extend PHP Partnership
- PHP FAQ Highlight
- PHP Creator Didn't Set Out to Create a Langu...
- PHP Trends Revealed in Zend Study
- PHP: Best Methods for Running Scheduled Jobs
- PHP Array Functions: array_change_key_case
- PHP array_combine Function
- PHP array_chunk Function
- PHP Closures as View Helpers: Lazy-Loading F...
- Using PHP Closures as View Helpers
- PHP File and Operating System Program Execut...
- PHP: Effects of Wrapping Code in Class Const...
Find More PHP Articles

Developer Shed Affiliates

 

© 2003-2013 by Developer Shed. All rights reserved. DS Cluster - Follow our Sitemap

Dev Shed Tutorial Topics: