Safe_mode security mode configuration in php _ PHP Tutorial

Detailed description of safe_mode security mode configuration in php. There is a common mode and security mode in php. Currently, most data users directly use the php common mode of the application, because many functions have been configured in the security mode and the security mode in php, most data users now directly use the php common mode of the application, because many functions are restricted after the security mode configuration, I will introduce the security mode configuration method as follows.

When security mode is enabled, the functions of the following function list will be restricted:

Chdir, move_uploaded_file, chgrp, parse_ini_file, chown, rmdir, copy, rename, fopen, require, highlight_file, show_source, include, symlink, link, touch, mkdir, unlink

Similarly, some php extension functions will also be affected. (Loading module: in safe mode, dl functions will be disabled. to load extensions, you can only modify the extension options in php. ini and load them when php starts)

When enabling php Security mode, you must specify the directory program in the safe_mode_exec_dir option when executing the operating system program. Otherwise, the execution will fail. Even if execution is allowed, it is automatically passed to the escapeshellcmd function for filtering.

The list of functions that execute the following commands will be affected:

Exec, shell_exec, passthru, system, popen

In addition, the back Mark operator (') will also be disabled.

When running in safe mode, although it does not cause errors, the putenv function will be invalid. Similarly, other functions that attempt to change the php environment variables, such as set_time_limit and set_include_path, will also be ignored.

1. the applicability of all input and output functions (such as fopen (), file (), and require () is limited and can only be used to have files of the same owner as the scripts that call these functions. For example, if the security mode is enabled, if Mary's script calls fopen () and tries to open a file owned by Jonhn, it will fail. However, if Mary not only owns the script for calling fopen (), but also the file called by fopen (), it will succeed.
2. if you try to execute scripts through functions such as popen (), system (), and exec (), it is only possible to run the scripts in the directory specified by the safe_mode_exec_dir configuration command.
3. HTTP verification is further enhanced because the UID used by the verification script is included in the verification domain. In addition, PHP_AUTH is not set when security mode is enabled.
4. if the MySQL database server is applicable, the user name used to connect to the MySQL server must be the same as the user name of the file owner who calls mysql_connect.

1) enable the php Security mode

The security mode of php is a very important embedded security mechanism that can control some php functions, such as system (),
At the same time, many File operation functions are subject to permission control, and files of some key files are not allowed, such as/etc/passwd,
However, the default php. ini mode does not enable the security mode. open it:
Safe_mode = on

(2) User Group Security

When safe_mode is enabled and safe_mode_gid is disabled, the php script can access the file and
Group users can also access files.
Recommended settings:

Safe_mode_gid = off

If you do not set it, we may not be able to operate the files under the website directory of our server. for example, we need
During file operations.

(3) main directory for executing programs in safe mode

If security mode is enabled, but you want to execute some programs, you can specify the main directory of the program to be executed:

Safe_mode_exec_dir = D:/usr/bin

Generally, you do not need to execute any program. Therefore, we recommend that you do not execute the System program directory, which can point to a directory,
Then copy the program to be executed, for example:

Safe_mode_exec_dir = D:/tool/exe

However, I recommend that you do not execute any program, so you can point to our webpage Directory:

Safe_mode_exec_dir = D:/usr/www

(4) file inclusion in security mode

If you want to include some public files in safe mode, modify the following options:

Safe_mode_include_dir = D:/usr/www/include/

In fact, the files contained in the php script are all written in the program itself, which can be set as needed.

(5) control directories accessible by php scripts

You can use the open_basedir option to control the PHP script to access only the specified directory, so as to avoid PHP script access.
Files that should not be accessed limit the harm of phpshell to a certain extent. we can generally set to only access the website directory:

Open_basedir = D:/usr/www

(6) disable dangerous functions

If the security mode is enabled, the function is not required, but we should consider it for security. For example,
We do not want to execute a php function that includes system () and so on that can execute commands, or can view php information.
Phpinfo () and other functions, we can disable them:

Disable_functions = system, passthru, exec, shell_exec, popen, phpinfo

If you want to disable operations on any files and directories, you can disable many file operations.

Disable_functions = chdir, chroot, dir, getcwd, opendir, readdir, scandir, fopen, unlink, delete,

Copy, mkdir, rmdir, rename, file, file_get_contents, fputs, fwrite, chgrp, chmod, chown

The above only lists some file processing functions that are not commonly used. you can also combine the preceding command functions with this function,
You can resist most phpshells.

(7) disable PHP version information leakage in the http header

To prevent hackers from obtaining information about the php version on the server, we can disable this information in the http header:

Expose_php = Off

For example, when hackers telnet www.target.com 80, they will not be able to see the PHP information.

(8) disable registration of global variables

Variables submitted in PHP, including those submitted using POST or GET, are automatically registered as global variables and can be directly accessed,
This is very insecure for the server, so we can disable the register global variable option if we cannot register it as a global variable:
Register_globals = Off
Of course, if this is set, a reasonable way should be used to obtain the corresponding variable, such as getting the variable var submitted by GET,
You need to use $ _ GET ['var'] to obtain it. This php programmer should pay attention to it.

(9) enable magic_quotes_gpc to prevent SQL injection.

SQL injection is a very dangerous problem. in small cases, the website background is intruded, while in heavy cases, the entire server is compromised,

So be careful. Php. ini has a setting:

Magic_quotes_gpc = Off

This is disabled by default. if it is enabled, it will automatically convert the SQL query submitted by the user,
For example, convert 'to' to ', which plays a major role in preventing SQL injection. Therefore, we recommend the following settings:

Magic_quotes_gpc = On

...