PHP safe_mode Security Mode configuration detailed

Source: Internet
Author: User
Tags http authentication ini php script phpinfo require safe mode sql injection mysql database

When Safe mode is open, the functionality of the following list of functions will be limited:

ChDir, Move_uploaded_file, Chgrp, Parse_ini_file, Chown, rmdir, copy, rename, fopen, require, highlight_file, s How_source, include, symlink, link, touch, mkdir, unlink

Similarly, functions in some PHP extensions will also be affected. (Load module: In Safe mode, the DL function will be prohibited, if you want to load the extension, you can only modify the extended option in php.ini, loading when PHP starts)

When PHP security mode is open, you need to execute the operating system program, you must be in the SAFE_MODE_EXEC_DIR option to specify the directory of the program, or execution will fail. Even if it is allowed to execute, it is automatically passed to the Escapeshellcmd function for filtering.

The following list of functions that execute the command will be affected:

exec, Shell_exec, PassThru, System, Popen

In addition, the back tag operator (') will also be closed.

When running in Safe mode, the PUTENV function will not be valid, although it will not cause an error. Similarly, other functions that attempt to change the PHP environment variable set_time_limit, Set_include_path, etc. will also be ignored.

1. The application of all input and output functions, such as fopen (), file (), and require (), is limited and can only be used for files that have the same owner as the script that called the functions. For example, assuming that security mode is enabled, if Mary has a script that invokes fopen () and attempts to open a file owned by JONHN, it will fail. However, if Mary has not only a script to invoke fopen (), but also a file called by fopen (), it will succeed.
2. If you attempt to execute a script through a function popen (), System (), or exec (), it is possible only if the script is located in the directory specified by the SAFE_MODE_EXEC_DIR configuration directive.
3. HTTP authentication is further enhanced because the validation script is used for the UID of the person to be included in the validation field. In addition, Php_auth is not set when Safe mode is enabled.
4. If the MySQL database server is applicable, the user name used for the linked MySQL server must be the same as the file owner username that invoked mysql_connect ().


1 Open PHP security mode

PHP's Safe mode is a very important embedded security mechanism that can control functions in PHP, such as System (),
At the same time, a lot of file operation functions are controlled by permissions, also do not allow some key file files, such as/etc/passwd,
But the default php.ini is not open safe mode, we turn it on:
Safe_mode = On


(2) User group security

When the Safe_mode is turned on, the Safe_mode_gid is turned off, so the PHP script can access the file and the same
Users of a group can also access files.
The recommended setting is:

Safe_mode_gid = Off

If you do not set it, we may not be able to operate on our server web directory files, such as we need
When you are working on a file.


(3) Safe Mode executable Program Home directory

If Safe mode is open, but you want to execute some programs, you can specify the home directory where you want to execute the program:

Safe_mode_exec_dir = D:/usr/bin

In general, there is no program to perform, so it is recommended not to execute the System program directory, you can point to a directory,
Then copy the program that needs to be executed, such as:

Safe_mode_exec_dir = D:/tool/exe

However, I recommend that you do not execute any programs, then you can point to our web directory:

Safe_mode_exec_dir = d:/usr/www


(4) Include files in Safe mode

If you want to include some public files in Safe mode, modify the options:

Safe_mode_include_dir = d:/usr/www/include/

In fact, the general PHP script contains files are in the program itself has been written, this can be set according to the specific needs.


(5) Control the directory that the PHP script can access

Using the Open_basedir option to control PHP scripts can only access the specified directory, so that you can avoid PHP script access
Files that should not be accessed, to some extent limit the harm of phpshell, we can generally set to access only the site directory:

Open_basedir = d:/usr/www


(6) Close the dangerous function

If Safe mode is turned on, the function prohibition is not necessary, but we consider it for security. Like what
We don't feel like executing PHP functions that can execute commands, including system (), or can view PHP information
Phpinfo () and so on, then we can ban them:

Disable_functions = System,passthru,exec,shell_exec,popen,phpinfo

If you want to disable the operation of any files and directories, you can turn off many file operations


Disable_functions=chdir,chroot,dir,getcwd,opendir,readdir,scandir,fopen,unlink,delete,

Copy,mkdir,rmdir,rename,file,file_get_contents,fputs,fwrite,chgrp,chmod,chown

The above is just a list of not commonly used file processing functions, you can also perform the above command function and this function combined,
will be able to resist most of the Phpshell.


(7) Turn off the disclosure of PHP version information in HTTP headers

In order to prevent hackers from obtaining information about the PHP version of the server, you can turn off the information ramp in the HTTP header:

expose_php = Off

For example, when the hacker in Telnet www.target.com 80, then will not be able to see the PHP information.


(8) Turning off registration of global variables

Variables submitted in PHP, including those submitted using post or get, are automatically registered as global variables and can be accessed directly.
This is very unsafe for the server, so we cannot have it registered as a global variable and turn off the registration global variable option:
Register_globals = Off
Of course, if you set this up, then you need to get the corresponding variable in a reasonable way, such as getting the variable var of get commit,
Then you need to use $_get[' var ' to get it, the PHP programmer should pay attention.


(9) Open MAGIC_QUOTES_GPC to prevent SQL injection

SQL injection is a very dangerous problem, small web site backstage was invaded, heavy the entire server fell,

So be sure to be careful. There is a setting in php.ini:

MAGIC_QUOTES_GPC = Off

This default is turned off, and if it is turned on, it will automatically convert the user to the SQL query.
For example, the ' switch ' and so on, which has a significant effect on preventing SQL injection. So we recommend setting it to:

MAGIC_QUOTES_GPC = On

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.