PHP security measures and safe mode

伊谢尔伦
Release: 2016-11-22 10:21:56
Original
1563 people have browsed it

PHP’s safe mode was established to try to solve the security problem of shared-server. Structurally, it makes no sense to try to solve this problem on the PHP layer, but modifying the web server layer and operating system layer seems very unrealistic. So many people, especially ISPs, currently use safe mode.

The following are the safe mode settings in php.ini:

safe_mode boolean

Whether to enable PHP’s safe mode.

safe_mode_gid boolean

By default, safe mode will do a UID comparison check when opening a file. If you want to relax it to GID comparison, turn on safe_mode_gid. Whether to use UID (FALSE) or GID (TRUE) to check when accessing files.

safe_mode_include_dir string

Bypass UID/GID checks when including files from this directory and its subdirectories (directories must be in include_path or included with full paths).

Starting from PHP 4.2.0, this directive can accept paths separated by colons (semicolons on Windows) in a similar style to the include_path directive, instead of just a directory. The specified limit is actually a prefix, not a directory name. This means that "safe_mode_include_dir = /dir/incl" will allow access to "/dir/include" and "/dir/incls" if they exist. If you wish to restrict access to a specific directory, add a trailing slash, for example: "safe_mode_include_dir = /dir/incl/". If the value of this directive is empty, files with different UID/GID in PHP 4.2.3 and onward will not be included. In earlier versions, all files could be included.

safe_mode_exec_dir string

If PHP uses safe mode, system() and other program execution functions will refuse to start programs that are not in this directory. Must use / as directory separator, including on Windows.

safe_mode_allowed_env_vars string

Setting certain environment variables may be a potential security gap. This directive contains a comma separated list of prefixes. In safe mode, users can only change environment variables whose names have the prefix provided here. By default, users can only set environment variables starting with PHP_ (e.g. PHP_FOO = BAR).

Note:

If this directive is empty, PHP will allow the user to modify any environment variable!

safe_mode_protected_env_vars string

This command contains a comma-separated list of environment variables that end users cannot use putenv() to change. These variables cannot be changed even when allowed modifications are set in safe_mode_allowed_env_vars.

When safe_mode is set to on, PHP will check through the file function or its directory whether the owner of the current script matches the owner of the file to be operated on. For example:

-rw-rw-r--    1 rasmus   rasmus       33 Jul  1 19:20 script.php
-rw-r--r--    1 root     root       1116 May 26 18:01 /etc/passwd
Copy after login

Run script.php

<?php
readfile(&#39;/etc/passwd&#39;);
?>
Copy after login

If safe mode is activated, this will result in the following error:

Warning: SAFE MODE Restriction in effect. The script whose uid is 500 is not
allowed to access /etc/passwd owned by uid 0 in /docroot/script.php on line 2
Copy after login

At the same time, there may be environments where relaxed GID checking is sufficient, but Strict UID checking is not appropriate. This check can be controlled with the safe_mode_gid option. If set to On, a relaxed GID check is performed; when set to Off (default), a UID check is performed.

Except for safe_mode, if the open_basedir option is set, all file operations will be restricted to the specified directory. For example:

<Directory /docroot>
  php_admin_value open_basedir /docroot
</Directory>
Copy after login

If you run the same script.php after setting the open_basedir option, the result will be:

Warning: open_basedir restriction in effect. File is in wrong directory in
/docroot/script.php on line 2
Copy after login

You can also block certain functions individually. Please note that the disable_functions option cannot be used outside the php.ini file, which means that functions cannot be blocked by different virtual hosts or different directories in the httpd.conf file. If you add the following to the php.ini file:

disable_functions readfile,system
Copy after login

you will get the following output:

Warning: readfile() has been disabled for security reasons in
/docroot/script.php on line 2
Copy after login

WARNING
Of course, these PHP restrictions do not apply to executable files.


Related labels:
php
source:php.cn
Statement of this Website
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
Popular Tutorials
More>
Latest Downloads
More>
Web Effects
Website Source Code
Website Materials
Front End Template
About us Disclaimer Sitemap
php.cn:Public welfare online PHP training,Help PHP learners grow quickly!