PHP safe_mode Security Mode configuration detailed _php tutorial

In PHP there is a normal mode and security mode, and now most of the users are directly using the application of PHP Normal mode, because the security mode configuration after a lot of features are limited, let me give you the details of the security mode configuration method.

When Safe mode is turned on, the functions of the following list of functions will be limited:

ChDir, Move_uploaded_file, Chgrp, Parse_ini_file, Chown, rmdir, copy, rename, fopen, require, Highlight_file, Show_source , include, symlink, link, touch, mkdir, unlink

Similarly, some of the functions in the PHP extension will also be affected. (Loading module: In Safe mode, the DL function will be disabled, if you want to load the extension, you can only modify the extension options in the php.ini, load when PHP starts)

When the PHP security mode is open, you need to execute the operating system program, must be the SAFE_MODE_EXEC_DIR option to specify the directory of the program, otherwise execution will fail. Even if execution is allowed, it is automatically passed to the Escapeshellcmd function for filtering.

The following list of functions that execute the command will be affected:

exec, Shell_exec, PassThru, System, Popen

In addition, the back marker operator (') is also closed.

When running in Safe mode, the PUTENV function will not be valid, although it will not cause an error. Similarly, some of the other functions that try to change PHP environment variables Set_time_limit, Set_include_path, and so on will be ignored.

1. The applicability of all input and output functions (such as fopen (), file (), and require ()) is restricted to files that have the same owner as the script that invokes the functions. For example, assuming that Safe mode is enabled, if Mary owns a script that calls fopen () and tries to open a file owned by JONHN, it will fail. However, if Mary has not only a script that calls fopen () but also a file called by fopen (), it succeeds.
2. If you attempt to execute a script through function popen (), System (), or exec (), it is possible only if the script is located in the directory specified by the SAFE_MODE_EXEC_DIR configuration directive.
3. HTTP authentication is further enhanced because the UID used by the authentication script is scoped to the validation domain. Additionally, Php_auth is not set when Safe mode is enabled.
4. If the MySQL database server is applicable, the user name used to link the MySQL server must be the same as the name of the file owner who called Mysql_connect ().

1) Open the Safe mode of PHP

PHP's security model is a very important embedded security mechanism to control some functions in PHP, such as System (),
At the same time, a lot of file operation functions have permission control, also does not allow the files for some key files, such as/etc/passwd,
But the default php.ini is not open in Safe mode, we turn it on:
Safe_mode = On

(2) User group security

When Safe_mode is turned on, Safe_mode_gid is turned off, and the PHP script is able to access the file, and the same
Users of the group are also able to access the files.
The recommended setting is:

Safe_mode_gid = Off

If we do not set up, we may not be able to operate the files in our server web directory, for example, we need to
When you are working on a file.

(3) Execute Program home directory in Safe mode

If Safe mode is turned on, but you want to execute some programs, you can specify the home directory where you want to execute the program:

Safe_mode_exec_dir = D:/usr/bin

In general, do not need to execute what program, so it is recommended not to execute the System program directory, can point to a directory,
Then copy the program that needs to be executed, such as:

Safe_mode_exec_dir = D:/tool/exe

However, I recommend that you do not execute any programs, then you can point to our web directory:

Safe_mode_exec_dir = d:/usr/www

(4) Include files in Safe mode

If you want to include some common files in Safe mode, then modify the options:

Safe_mode_include_dir = d:/usr/www/include/

In fact, the general PHP script contains files are in the program itself has been written, this can be set according to the specific needs.

(5) control the directory that PHP scripts can access

Use the OPEN_BASEDIR option to control the PHP script to access only the specified directory, which avoids the PHP script access
The files that should not be accessed to some extent limit the harm of phpshell, we can generally be set to only access the site directory:

Open_basedir = d:/usr/www

(6) Close danger function

If Safe mode is turned on, then the function prohibition is not necessary, but we consider it to be safe. Like what
We don't want to execute PHP functions that include the system (), or the ability to execute commands, or the ability to view PHP information
Phpinfo () and so on, then we can disable them:

Disable_functions = System,passthru,exec,shell_exec,popen,phpinfo

If you want to disable the operation of any files and directories, you can close many file operations

Disable_functions=chdir,chroot,dir,getcwd,opendir,readdir,scandir,fopen,unlink,delete,

Copy,mkdir,rmdir,rename,file,file_get_contents,fputs,fwrite,chgrp,chmod,chown

These are just a few of the most commonly used file handling functions, and you can also combine the above command functions with this function,
will be able to resist most of the Phpshell.

(7) Close the PHP version information in the HTTP header leak

In order to prevent hackers from getting the PHP version of the server information, you can close the information ramp in the HTTP header:

expose_php = Off

For example, when the hacker in Telnet www.target.com 80, then will not see the PHP information.

(8) Close registered global variables

Variables submitted in PHP, including those that use post or get commits, are automatically registered as global variables and can be accessed directly,
This is very insecure for the server, so we can't register it as a global variable, and turn off the Register global variables option:
Register_globals = Off
Of course, if this is set, then the corresponding variable should be taken in a reasonable way, such as get the variable var of get commit,
Then you need to use $_get[' var ' to get it, this PHP programmer should pay attention to.

(9) Open MAGIC_QUOTES_GPC to prevent SQL injection

SQL injection is a very dangerous problem, small site background was invaded, heavy the entire server fell,

So be sure to be careful. There is a setting in php.ini:

MAGIC_QUOTES_GPC = Off

This is off by default, and if it is turned on, it will automatically convert the query that the user commits to SQL.
It's important to prevent SQL injections, for example, by turning ' switch '. So we recommend setting it to:

MAGIC_QUOTES_GPC = On

http://www.bkjia.com/PHPjc/629618.html www.bkjia.com true http://www.bkjia.com/PHPjc/629618.html techarticle in PHP, there is a normal mode and security mode, and now most of the users are directly using the application of PHP Normal mode, because the security mode configuration after a lot of features have been ...

