nginx+php (fpm-php fastcgi) open_basedir security settings

The purpose of 0x00 experiment

According to the article "PHP Bypass open_basedir Column Directory Research" by testing different configurations to verify this article's bypass Basedir method is effective, so that the purpose of securely configuring PHP Open_basedir.
The following methods in the article are windwos under the enumeration of the list of directories, Linux needs to do brute force guess the way can, so do not test.

Test the "Directoryiterator + Glob" way to bypass Open_basedir
Test Webshell Tool "Chopper" can bypass Open_basedir

0X01 Experimental Environment

Nginx + PHP 5.6.7 fastcgi mode, Centos7 Linux
At present there are three places in the configuration Open_basedir php-fpm.conf,nginx Fastcgi_param,php.ini
Test below

0x02 Test Detail

Configured only in php-fpm.conf

php_admin_value[open_basedir]=/home/wwwroot/:/proc/:/tmp/
Results

Open_basedir can not read outside the directory, can not write, but Directoryiterator + Glob could successfully list the overall document

Current Open_basedir
Open_basedir:/home/wwwroot/:/proc/:/tmp/

--Directoryiterator + Glob--.
..
. Autorelabel
Bin
Boot
Dev
etc
Home
Lib
Lib64
Media
Mnt
Opt
Proc
Root
Run
Sbin
Srv
Sys
Tmp
Usr
Vagrant
Var
The chopper can't be basedir.

Only in the Nginx fastcgi_param configuration

# Set PHP Open_basedir
Fastcgi_param php_admin_value "open_basedir= $document _root/:/tmp/:/proc/";
The "$document _root" Here is the variable in Nginx, the root directory in each server of Nginx
For example, the server Www.111cn.net configuration root directory is/home/wwwroot/www.111cn.net

Read the PHP manual carefully with the following passage
The PHP configuration value is set by Php_value or Php_flag and overrides the previous value.
Note that disable_functions or disable_classes values defined in php.ini will not be overwritten, but the new settings will be appended to the previous values.
Values defined with Php_admin_value or Php_admin_flag cannot be used by PHP
Ini_set () overwrite in the code. You can also set up the Web server from the 5.3.3
PHP's settings. Which is the configuration of Fastcgi_param configuration PHP in Nignx
Php_flag is used specifically to set Boolean values, such as on, off, 1, 0, True, false, yes, no,
And Php_value is used to set all types of values

The result is the same as above

Open_basedir can not read outside the directory, can not write, but Directoryiterator + Glob could successfully list the overall document

The chopper can't be basedir.

Only in php.ini configuration

[Host=www.111cn.net]
open_basedir=/home/wwwroot/www.111cn.net/:/proc/:/tmp/
[path=/home/wwwroot/www.111cn.net/]
open_basedir=/home/wwwroot/www.111cn.net/:/proc/:/tmp/
meaning when host=www.111cn.net set Open_basedir, when path=/home/wwwroot/www.111cn.net/

Set Open_basedir, I tested the time 2 arbitrary set one is valid

The result is the same as above

Open_basedir can not read outside the directory, can not write, but Directoryiterator + Glob could successfully list the overall document

The chopper can't be basedir.

0X03 Personal Conclusion

Directoryiterator + glob Way to list all the files on the PHP server, seemingly harmless, in fact, for long-term apt is absolutely helpful.
Open_basedir is not as safe as it may be, and there may even be 0day of read and write Open_basedir on the hands of others.

0x04 Personal recommended Nginx + PHP (fastcgi fpm-php) (LNMP) Open_basedir configuration

First, set the total Open_basedir in the pool in fpm-php this is called the top-level design, there is a total limit, such as the unified limit to/home/wwwroot/such a web directory
Fastcgi_param php_admin_value settings for single server in Nginx
Then set [Host=xxx] [path=xxx] to PHP.ini
Three-pronged mother no longer have to worry about my php open_basedir (hopefully)
It's???, though. But wouldn't it be more reassuring
All in all, the following results, I am the following?? The?/p>.

#php-fpm.conf the corresponding pool bank end configuration
php_admin_value[open_basedir]=/home/wwwroot/:/proc/:/tmp/

#nginx fastcgi Fastcgi_param Configuration
# $document _root is a tricky method, you can also set an absolute path
# Set PHP Open_basedir
Fastcgi_param php_admin_value "open_basedir= $document _root/:/tmp/:/proc/";

#php. INI Line end configuration

[Host=www.111cn.net]
open_basedir=/home/wwwroot/www.111cn.net/:/proc/:/tmp/
[path=/home/wwwroot/www.111cn.net/]
open_basedir=/home/wwwroot/www.111cn.net/:/proc/:/tmp/

The test also found that these three local configuration priorities are as follows

"PHP.ini" > "Nginx fastcgi fastcgi_param" > "php-fpm.conf"