PHP security measures and security mode

PHP's security model was created to try to resolve the shared server (Shared-server) security issue. On the structure, it is unreasonable to try to solve this problem on the PHP layer, but it is very unrealistic to modify the Web server layer and the operating system layer. So many people, especially ISPs, currently use Safe mode.

The following are the settings for Safe mode in php.ini:

Safe_mode Boolean

Whether to enable Safe mode for PHP.

Safe_mode_gid Boolean

By default, Safe mode does a UID comparison check when the file is opened. If you want to loosen it to a GID comparison, open Safe_mode_gid. Whether to use UID (FALSE) or GID (TRUE) to check for file access.

Safe_mode_include_dir string

The Uid/gid check is passed when this directory and its subdirectories (directories must be contained in include_path or with full paths) contain files.

Starting with PHP 4.2.0, this directive can accept the same style as the Include_path directive, separated by a colon (a semicolon in Windows), not just a directory. The specified limit is actually a prefix, not a directory name. This means that "Safe_mode_include_dir =/DIR/INCL" will allow access to "/dir/include" and "/dir/incls" if they exist. If you want to control access to a specified directory, add a slash at the end, for example: "Safe_mode_include_dir =/dir/incl/". If the value of this directive is null, files with different uid/gid in PHP 4.2.3 and PHP 4.3.3 will not be included. In earlier versions, all files could be included.

Safe_mode_exec_dir string

If PHP uses safe mode, System () and other program execution functions will refuse to start programs that are not in this directory. You must use/as a directory delimiter, including in Windows.

Safe_mode_allowed_env_vars string

Setting certain environment variables can be a potential security breach. This directive contains a comma-delimited list of prefixes. In Safe mode, users can only change the environment variables whose names have the prefixes provided here. By default, users can only set environment variables that begin with PHP_ (for example, Php_foo = BAR).

Attention:

If this instruction is empty, PHP will allow the user to modify any environment variables!

Safe_mode_protected_env_vars string

This directive contains a comma-delimited list of environment variables that the end user cannot use to change these environment variables (putenv). These variables cannot be changed even when the Safe_mode_allowed_env_vars is set to allow modification.

When Safe_mode is set to on,php, the owner of the current script is checked by the file function or its directory to match the owner of the file that will be manipulated. For example:

-rw-rw-r--    1 Rasmus   Rasmus       Jul  1 19:20 script.php-rw-r--r--    1 root     root 1116 May       26 18:01/etc/passwd

Run script.php

<?phpreadfile ('/etc/passwd ');? >

If Safe mode is activated, the following error will be caused:

Warning:safe MODE restriction in effect. The script whose UID is a notallowed to access/etc/passwd owned by UID 0 in/docroot/script.php on line 2

At the same time, there may be an environment in which a loose GID check is sufficient, but a strict UID check is not appropriate. You can use the SAFE_MODE_GID option to control this check. If set to ON, a lenient GID check is performed and the UID check is set to OFF (the default value).

In addition to Safe_mode, if the Open_basedir option is set, all file operations are restricted to the specified directory. For example:

<Directory/docroot>  Php_admin_value open_basedir/docroot</directory>

If you run the same script.php after you set the Open_basedir option, the result will be:

Warning:open_basedir restriction in effect. File is in wrong directory in/docroot/script.php on line 2

You can also block certain functions individually. Note that the Disable_functions option cannot be used outside of the php.ini file, which means that the function cannot be masked in the same way as a different virtual host or directory in the httpd.conf file. If you add the following to the php.ini file:

Disable_functions Readfile,system

You will get the following output:

Warning:readfile () have been disabled for security reasons in/docroot/script.php on line 2

Warning
Of course, these PHP restrictions do not apply to executable files.

