Configuration of PHP is one of the significant security breakpoints. There is no doubt that ignoring this can lead to serious security consequencies. I’m not talking just about web applications vulnerabilities. Wrong PHP setup can allow to take your server under control by some invader. This article is trying to help you to do more for your calm sleep.
PHP has available built-in safe mode, by using which we can improve security distinctly. Before we move to directives, let’s remind their scopes of modification to have clear where we can use them.
PHP defines these four scopes:
Now we can move forward and go through basic security settings of PHP.
safe_mode (boolen)
Scope: PHP_INI_SYSTEM | Default value: 0
By turning safe_mode on we can limit some of potentially dangerous options of PHP. Safe mode can be turned on by setting safe_mode directive to the boolean value on or turned off by setting it to off. Restrictive schema is based on UID (User ID) comparison of running script with file UID to wich the script tries to access. If both UID are same, script is authorized to continue, otherwise failes.
safe_mode_gid (boolean)
Scope: PHP_INI_SYSTEM | Default value: 0
This directive changes behaviour of the safe mode by checking GID (Group ID) instead of UID (User ID). So, if Mary and John are members of the same group, scripts of Mary are authorized to call fopen() to files of John.
safe_mode_include_dir (string)
Scope: PHP_INI_SYSTEM | Default value: Null
By safe_mode_include_dir directive we can mark out some paths in which the safe mode should be ignored, even if it‘s on. This is often used for directories in which various stuff for more web users is placed (ex. templates). Syntax allows more directories separated by semi-colon.
safe_mode_exec_dir (string)
Scope: PHP_INI_SYSTEM | Default value: Null
This directive specifies the directory where system programs executable by system(), exec() or passthru() reside. There is necessary have the safe_mode on.
safe_mode_allowed_env_vars (string)
Scope: PHP_INI_SYSTEM | Default value: PHP_
When the safe_mode is on, by this directive we can permit modification of some system environmental variables from user’s script. Syntax allows more variables separated by comma.
safe_mode_protected_env_vars (string)
Scope: PHP_INI_SYSTEM | Default value: LD_LIBRARY_PATH
This directive prevents modification of some system environmental variables by putenv() function. The LD_LIBRARY_PATH is protected by default. Variables declared here overlay variables set up by safe_mode_allowed_env_vars directive.
In the next post we’ll take a look at advanced security settings of PHP.
Nice post though concept is old but sometime is gold 😀