Security Settings for Apache and PHP in Linux

For ISPs that provide public network services, we recommend that apache and php use the public settings with minimum permissions for security reasons. the PHP extension of ApacheVirtualhost can be used to meet the special security performance requirements raised by specific users without changing the global sharing settings. you only need

For ISPs that provide public network services, we recommend that you use apache andPhpUse the public settings with the minimum permission.
For special requirements related to security and performance raised by specific users, you can avoid changing the global sharing settings,
By using the Apache VirtualhostPHPExtension function. You only need to set the Virtualhost
Insert the php_value, php_admin_value or php_admin_flag command in the section to make the user have
Set different permissions and actions.

The syntax for separate configuration for specific Apache Virtual users is as follows:

Php_admin_value name 1 | 0 | s TrIng (value controls specific parameters)
Php_admin_flag name on | off (flag control on or off, applicable to Apache2.20)

Note: The above settings for virtual usersCommandCan be directly set in the unit or
In the user's unit.

For exampleLsFunction, and set upload_max _FileIncrease the size
5 M, disable safe_mode at the same time, but it does not affect other users, you can add the following lines in the user's VirtualHost:

Php_value upload_max_filesize 5 M
Php_value register_globals 1

 

Php_value safe_mode 0
Php_flag safe_mode Off

Php_admin_value safe_mode 0 # (for Apache2.20)
Php_admin_flag safe_mode Off # (for Apache2.20)

Most of the functions in the php. ini configuration file can be adjusted in this way. After adjustment, restart apache and then
You can see in phpinfo that the Local Value in the middle column is different from the Master Value in the right column.

Note: The setting methods of some parameter values may be different from those in the php. ini configuration file, for example
The above "register_globals 1" should have been "register_globals On" in php. ini ".
######################################## ########################################

========================================================== ==========================================================
(1) safe_mode: run PHP In safe mode;
---------------------------
Use the following option in the php. ini file (which affects global settings ):

Safe_mode = On (use Security Mode)
Safe_mode = Off (disable security mode)

The security mode of PHP is to try to solve the Shared Server (shar)Ed-Server). However
From the perspective of structure, it is unreasonable to try to solve this problem at the PHP level, just considering modifying the WEB server layer
And the operating system layer are very unrealistic. Therefore, many users, especially ISP providers that provide public network services,
Most of them require that PHP be run in safe mode on their servers to prevent legal users from reading or unauthorized operations across sites.
Dangerous behaviors and minimize the impact of malicious behaviors of unauthorized users.

Reference: http://hk2.php.net/features.safe-mode

In Apache HttpdThe corresponding setting method of VirtualHost in. conf (this is for specific users ):
Php_admin_flag safe_mode On (use Security Mode)
Php_admin_flag safe_mode Off (disable security mode)
Or:
Php_admin_value safe_mode 1 (use Security Mode)
Php_admin_value safe_mode 0 (disable security mode)

Severe warning: If the safe_mode feature has been enabled in the global settings, but it is in a special user virtual space
Disable the safe_mode function of the user, which grants the user special permissions to not be subject to safe_mode.
The system service is free to use, that is to say, all the behaviors that were originally prohibited by the global safe_mode function,
For example, cross-site read or unauthorized operations can be performed by this user, which is like opening in the vault of the original security fortification.
A hole that allows the user to freely access, so any application that uses the user space is no longer globally safe_mode
This means that the security of the entire system may be affected by the user space, including
Vulnerabilities in the application in this space cause the entire system to be intruded. Therefore, such special settings for specific users should be
As a way of authorization, it is necessary to establish an effective monitoring mechanism to prevent the user from abusing system resources,
Otherwise, once the user becomes no longer trusted or has vulnerabilities in his website programs, the impact on your overall system
This is exactly the same as safe_mode.
========================================================== ==========================================================

========================================================== ==========================================================
(2) safe_mode_ INcLude_dir: directory without UID/GID check
---------------------------
After you enable the PHP security mode according to the settings described above (1), the PHP script will operate on all
Check the UID/GID matching of directories and files: Check the UID or GID of the directory or file to be operated, whether
The same as the UID or GID of the current PHP script file.

However, if your system allows users' PHP scripts to access public paths (for example, many older Forum or Gallery
The program will directly reference the system file to extend the functionality not supported by PHP at the time), so this setting will cause trouble.

You can use safe_mode_include_dir to specify some directories. When the PHP script operates these directories and Their subdirectories
(The directory must be included in include_path or in the full path), the UID/GID check is allowed.
Check UID/GID matching for this directory.

Starting from PHP4.2.0, this command can be in a style similar to the include_path command, that is, separated by semicolons.
Multiple paths. In the past, only a single directory can be specified.SedThe path specified by ir is also
Is the prefix limit of a string, rather than the operation on the directory namespace.

For example, if you specify "safe_mode_include_dir =/dir/incl", all PHP scripts will allow
Access the "/dir/include" and "/dir/incls" paths (if they exist). Therefore, if you want
To control a directory, you must add a slash at the end of the specified path set above. For example:
"Safe_mode_include_dir =/dir/incl /"

Note: VirtualHost automatically inherits the safe_mode_include_dir settings in php. ini.
========================================================== ==========================================================

========================================================== ==========================================================
(3) open_basedir: restrict the files that can be operated by users to a directory;
---------------------------
The following is the original description and default configuration in php. ini:
; Open_basedir, ifSet, Limits all file operations to the defined directory
; And below. This directive makes most sense if used in a per-directory or
; Per-virtualhost web server configuration file. This directive is
; * NOT * affected by whether Safe Mode is turned On or Off.
Open_basedir =.

Open_basedir can restrict the activity scope of files accessed by users to a specified region. It is usually the path of the home directory
"." Can be used to represent the current directory. Note that the restriction specified by open_basedir is actually a prefix rather than a directory name.
For example, if "open_basedir =/dir/user", the directories "/dir/user" and "/dir/user1" are both
Accessible. Therefore, if you want to restrict access to a specified directory only, end the path with a slash. For example, set:
"Open_basedir =/dir/user /"

Open_basedir can also set multiple directories at the same time. In Windows, use semicolons to separate directories and use them in any other system.
Separate directories with colons. When it acts on the Apache module, the open_basedir path in the parent directory is automatically inherited.

There are three ways to make independent settings for specified users in Apache:

(A) How to Set Directory in httpd. conf of Apache:

Php_admin_value open_basedir/usr/local/apache/htdocs/
# To set multiple directories, refer to the following:
Php_admin_value open_basedir/usr/local/apache/htdocs/:/tmp/

(B) How to Set VirtualHost in httpd. conf of Apache:

Php_admin_value open_basedir/usr/local/apache/htdocs/
# To set multiple directories, refer to the following:
Php_admin_value open_basedir/var/www/html/:/var/tmp/

(C) Because open_basedir is set in VirtualHost, this virtual user will not inherit php. ini automatically.
Open_basedir setting value in, which makes it difficult to achieve flexible configuration measures. Therefore, we recommend that you do not
For example, you can set open_basedir =.:/tmp/in php. ini.
Access the current directory (the directory where the PHP script file is located) And/tmp/directory.

Note: If the temporary directory for uploading files set in php. ini is/tmp/, open_basedir must be set.
Contains/tmp/, otherwise the upload will fail. The new php version will prompt "open_basedir restriction in effect"
Warning, but the move_uploaded_file () function can still successfully retrieve the uploaded files in the/tmp/directory.
This is a vulnerability or a new feature.
========================================================== ==========================================================

========================================================== ==========================================================
(4) disable_functions );
---------------------------
This command allows you to directly disable certain definite functions (usually functions related to system security) for security reasons, such:
Disable_functions = shell _ExEc, system, exec, passthru, show_source, get_1__var

Disable_functions accepts the comma-separated function name list as a parameter. It is not affected by the security mode and can only
Setting is used as a global configuration in php. ini and cannot be set in httpd. conf for individual users.

This feature has been introduced in php. ini since php-4.0.1, which is useful and can be used to prevent users from using it.
Some potentially dangerous functions, such as passthru, exec, system, popen, etc.
After the disable_functions = passthru, exec, system, and popen configurations are added, PHP executes these functions.
Only the following error message is displayed: Warning: system () has been disabled for security reasons.

The following is an example to illustrate the importance of this security setting:

We know that PHP scripts can use many perl features. For example, a method called shell_exec is used to execute the system.
Command. You only need to include the script code that calls the system command in a pair of backquotes (") to execute the corresponding system command.
For example:

$ Output = 'ls/etc-al ';
Echo $ output;
?>

Obviously, if your system has no restrictions, any user can'Cat/Etc/Passwd'
Command to capture system information or conduct sabotage. This is equivalent to opening your own