Nginx + php-fpm fastcgi prevents cross-site and cross-directory security settings

0x00 lab objective

According to the article "PHP bypassing open_basedir column directory research", test different configurations to verify whether the basedir bypass method in this article is effective, so as to safely configure php open_basedir.
The following methods are used in windwos to list directories by enumeration. In linux, brute-force guesses are required. Therefore, no tests are performed.

Test whether the "DirectoryIterator + Glob" method can bypass open_basedir
Test whether the webshell tool "kitchen knife" can bypass open_basedir

0x01 lab environment

Nginx + PHP 5.6.7 fastcgi mode, centos7 linux
Currently, the configuration of open_basedir has three php-fpm.conf places, nginx fastcgi_param, php. ini
Perform the following tests one by one.

0x02 Test details

Configure in php-fpm.conf only

Php_admin_value [open_basedir] =/home/wwwroot/:/proc/:/tmp/

Result

Open_basedir directories cannot be read or written, but DirectoryIterator + Glob can successfully list the entire file.

Current open_basedir
Open_basedir:/home/wwwroot/:/proc/:/tmp/
 
-- DirectoryIterator + Glob --.
..
. Autorelabel
Bin
Boot
Dev
Etc
Home
Lib
Lib64
Media
Mnt
Opt
Proc
Root
Run
Sbin
Srv
Sys
Tmp
Usr
Vagrant
Var
The kitchen knife cannot be transferred out of basedir.

 

Only configure fastcgi_param in nginx

# Set php open_basedir
Fastcgi_param PHP_ADMIN_VALUE "open_basedir = $ document_root/:/tmp/:/proc /";
"$ Document_root" is the variable in nginx, which is the root directory of each server in nginx.
For example, the root directory configured for server www.111cn.net is/home/wwwroot/www.111cn.net.

Read the php manual carefully.
The PHP configuration value is set through php_value or php_flag and overwrites the previous value.
Note that the value defined by disable_functions or disable_classes in php. ini will not be overwritten, but the new settings will be appended to the original values.
The value defined by php_admin_value or php_admin_flag cannot be
Ini_set () overwrites the code. From 5.3.3, you can also set it through the web server.
PHP settings. That is, configuring php in fastcgi_param in the nginx
Php_flag is used to set Boolean values, such as on, off, 1, 0, true, false, yes, no,
Php_value is used to set all types of values.

The result is the same as above.

Open_basedir directories cannot be read or written, but DirectoryIterator + Glob can successfully list the entire file.

The kitchen knife cannot be transferred out of basedir.

 

Only configured in php. ini

[HOST = www.111cn.net]
Open_basedir =/home/wwwroot/www.111cn.net/:/proc/:/tmp/
[PATH =/home/wwwroot/www.111cn.net/]
Open_basedir =/home/wwwroot/www.111cn.net/:/proc/:/tmp/
When HOST = www.111cn.net sets open_basedir, when PATH =/home/wwwroot/www.111cn.net/

Set open_basedir. During the test, either of the two settings is valid.

The result is the same as above.

Open_basedir directories cannot be read or written, but DirectoryIterator + Glob can successfully list the entire file.

The kitchen knife cannot be transferred out of basedir.

 
0x03 Personal Conclusions

DirectoryIterator + Glob can list all the files on the php Server. It seems that there is no harm. In fact, it is definitely helpful for long-term APT.
Open_basedir is not as secure as you think. Maybe someone else can read or write 0day of open_basedir.

0x04 nginx + php (fastcgi fpm-php) (lnmp) open_basedir configuration recommended by individuals

First, set the total open_basedir in the pool in fpm-php, which is called the top-level design and has a total limit, for example, uniformly restricted to the/home/wwwroot/directory.
Then, use fastcgi_param PHP_ADMIN_VALUE to set a single server in nginx.
Set [HOST = XXX] [PATH = XXX] for php. ini. Mom no longer needs to worry about my php open_basedir (hopefully)
Although it is very ??? But isn't it more reassuring?
All in all, this is the result below ?? Why? /P>

# Configure the row tail in the pool corresponding to the php-fpm.conf
Php_admin_value [open_basedir] =/home/wwwroot/:/proc/:/tmp/
 
# Configure fastcgi fastcgi_param in nginx
# $ Document_root is a clever method. You can also set an absolute path.
# Set php open_basedir
Fastcgi_param PHP_ADMIN_VALUE "open_basedir = $ document_root/:/tmp/:/proc /";
 
# Configure at the end of the php. ini line
[HOST = www.111cn.net]
Open_basedir =/home/wwwroot/www.111cn.net/:/proc/:/tmp/
[PATH =/home/wwwroot/www.111cn.net/]
Open_basedir =/home/wwwroot/www.111cn.net/:/proc/:/tmp/
 

In the test, we also found that the priority of these three locations is as follows:

"Php. ini"> "nginx fastcgi fastcgi_param"> "php-fpm.conf"