Php security measures and security mode

Security mode of PHP features-security measures and security mode: the security mode of PHP is set up to solve the shared-server security problem. In terms of structure, it is unreasonable to try to solve this problem on the PHP layer, but it is unrealistic to modify the web server layer and operating system layer. Therefore, many people, especially ISP, currently use the security mode.

The security mode settings in php. ini are as follows:

Safe_mode boolean

Whether to enable PHP Security mode.

Safe_mode_gid boolean

By default, the security mode checks the UID when opening a file. If you want to extend it to GID comparison, open safe_mode_gid. Whether to use UID (FALSE) or GID (TRUE) for check during file access.

Safe_mode_include_dir string

When this directory and its subdirectories (the directory must be included in include_path or in the full path) contain files, the UID/GID check is performed.

Starting from PHP 4.2.0, this command can accept a path similar to the include_path command, separated by a colon (a semicolon in Windows), rather than a directory. The specified limit is actually a prefix rather than a directory name. This means that "safe_mode_include_dir =/dir/incl" will allow access to "/dir/include" and "/dir/incls" if they exist. If you want to control access to a specified directory, add a slash at the end, for example, "safe_mode_include_dir =/dir/incl /". If the value of this command is null, files with different UID/GID in PHP 4.2.3 and PHP 4.3.3 cannot be included. In earlier versions, all files can be contained.

Safe_mode_exec_dir string

If PHP uses safe mode, system () and other programs execute functions and refuse to start programs not in this directory. /Must be used as the directory separator, including in Windows.

Safe_mode_allowed_env_vars string

Setting certain environment variables may be a potential security gap. This command contains a comma-separated Prefix List. In security mode, you can only change the environment variables whose names have the prefix provided here. By default, you can only set environment variables starting with PHP _ (for example, PHP_FOO = BAR ).

Note:

If this command is blank, PHP allows you to modify any environment variables!

Safe_mode_protected_env_vars string

This command contains a comma-separated list of environment variables. end users cannot use putenv () to change these environment variables. These variables cannot be changed even when safe_mode_allowed_env_vars is set to allow modification.

When safe_mode is set to on, PHP checks whether the owner of the current script matches the owner of the file to be operated through the file function or its directory. For example:

-rw-rw-r--    1 rasmus   rasmus       33 Jul  1 19:20 script.php-rw-r--r--    1 root     root       1116 May 26 18:01 /etc/passwd

Run script. php

If the security mode is activated, the following error occurs:

Warning: SAFE MODE Restriction in effect. The script whose uid is 500 is notallowed to access /etc/passwd owned by uid 0 in /docroot/script.php on line 2

At the same time, there may be such an environment, in which the loose GID check is enough, but the strict UID check is not suitable. You can use the safe_mode_gid option to control this check. If it is set to On, the loose GID check is performed; if it is set to Off (default), the UID check is performed.

Except for safe_mode, if the open_basedir option is set, all file operations are restricted to the specified directory. For example:

 
    php_admin_value open_basedir /docroot
 

If the same script. php is run after the open_basedir option is set, the result is:

Warning: open_basedir restriction in effect. File is in wrong directory in/docroot/script.php on line 2

You can also shield some functions separately. Note that the disable_functions option cannot be used outside the php. ini file. that is to say, functions cannot be blocked by different virtual hosts or directories in the httpd. conf file. Add the following content to the php. ini file:

disable_functions readfile,system

The output is as follows:

Warning: readfile() has been disabled for security reasons in/docroot/script.php on line 2

Warning
Of course, these PHP restrictions are not applicable to executable files.