What is the security mode in PHP referring to?

Source: Internet
Author: User
Tags readfile

The handbook says:
Chapter 24. Safe Mode
Directory
Functions that are restricted or masked by Safe mode
The PHP security model is designed to attempt to resolve shared server (Shared-server) security issues. In structure, it is unreasonable to try to solve this problem on the PHP layer, but it is very unrealistic to modify the Web server layer and the operating system layer. So many people, not usually ISPs, are currently using safe mode.


Table 24-1. The setting options for controlling safe mode are:

Set option default values
Safe_mode off
Safe_mode_gid 0
Safe_mode_include_dir ""
Safe_mode_exec_dir 1
Open_basedir ""
Safe_mode_allowed_env_vars Php_
Safe_mode_protected_env_vars Ld_library_path
Disable_functions ""


When Safe_mode is set to on,php checks whether the owner of the current script matches the owner of the file that will be manipulated by the file function. Example:-rw-rw-r--1 Rasmus Rasmus 1 19:20 script.php
-rw-r--r--1 root root 1116 May 18:01/etc/passwd

Run script.php <?php
ReadFile ('/etc/passwd ');
?>

If Safe mode is activated, the following error will result: Warning:safe mode restriction in effect. The script whose UID is
Allowed to access/etc/passwd owned by UID 0 in/docroot/script.php in line 2



At the same time, there may be such an environment in which a loose GID check is sufficient, but a strict UID check is not appropriate. You can use the SAFE_MODE_GID option to control this check. If set to ON, a loose GID check is made, and the UID check is set to OFF (the default value).

In addition to Safe_mode, if you set the Open_basedir option, all file operations will be limited to the directory you specify. For example: <directory/docroot>
Php_admin_value Open_basedir/docroot
</directory>

If you run the same script.php after you set the Open_basedir option, the result will be: Warning:open_basedir restriction in effect. The file is in wrong directory in
/docroot/script.php on line 2



You can also block certain functions individually. Note that the Disable_functions option cannot be used outside of the php.ini file, which means that you cannot mask functions in httpd.conf files by different virtual hosts or different directories. If we add the following to the php.ini file: Disable_functions readfile,system

Then we will get the following output: Warning:readfile () has been disabled for security reasons in

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.