PHP is configured with open_basedir to allow each virtual site to run independently
- 2020-03-31 16:43:05
- OfStack
At that time, I thought it was very bad compared with IIS, because in IIS, you can set up a site or even a directory access to the use of anonymous account in the security, as long as the account used by each site is not the same, the security between sites will not affect each other. These days, I found that the original idea was wrong, under Apache, you can also configure PHP to achieve the independent operation of each site, although not detailed control to a user to run a site, but at least not the whole server was taken down.
This control can be achieved by configuring open_basedir in PHP, which is also useful under IIS, but only under Apache.
Open_basedir limits the user's access to files to a specified area, usually the path to its home directory, as well
You can use the symbol "." to represent the current directory. Open_basedir can also be set to multiple directories at once, separated by semicolons in Windows, and in any other system
Colons separate directories. When applied to an Apache module, the open_basedir path in the parent directory is automatically inherited. The following is an example of a configuration on a Linux system
Method 1: configure in php.ini
Open_basedir =. : / TMP /
Method 2: set it in VirtualHost in the Apache configuration
Php_admin_value open_basedir. : / TMP /
Method 3: set in the Apache configuration Direcotry
Php_admin_value open_basedir. : / TMP /
Explanation of the three configuration methods:
A. method 2 has a higher priority than method 1, that is, method 2 overrides method 1; Method 3 has a higher priority than method 2, which means method 3 overrides method 2.
B. "/ TMP/" is added to the configuration directory because the default temporary files of PHP (such as uploaded files, session, etc.) will be placed in this directory, so it is generally necessary to add this directory, otherwise some functions will not be available;
C. The ". "is added to the configuration directory to refer to the current directory where the PHP files are running.
D. If the site also USES files outside the site directory, the directory needs to be set separately in the corresponding VirtualHost;
After setting up, remember to find a PHP nethorse (e.g., phpspy) to play, test whether there is a problem, no surprise, the permissions should be fairly well controlled.
We have any PHP security configuration experience, welcome to share the exchange.
This control can be achieved by configuring open_basedir in PHP, which is also useful under IIS, but only under Apache.
Open_basedir limits the user's access to files to a specified area, usually the path to its home directory, as well
You can use the symbol "." to represent the current directory. Open_basedir can also be set to multiple directories at once, separated by semicolons in Windows, and in any other system
Colons separate directories. When applied to an Apache module, the open_basedir path in the parent directory is automatically inherited. The following is an example of a configuration on a Linux system
Method 1: configure in php.ini
Open_basedir =. : / TMP /
Method 2: set it in VirtualHost in the Apache configuration
Php_admin_value open_basedir. : / TMP /
Method 3: set in the Apache configuration Direcotry
Php_admin_value open_basedir. : / TMP /
Explanation of the three configuration methods:
A. method 2 has a higher priority than method 1, that is, method 2 overrides method 1; Method 3 has a higher priority than method 2, which means method 3 overrides method 2.
B. "/ TMP/" is added to the configuration directory because the default temporary files of PHP (such as uploaded files, session, etc.) will be placed in this directory, so it is generally necessary to add this directory, otherwise some functions will not be available;
C. The ". "is added to the configuration directory to refer to the current directory where the PHP files are running.
D. If the site also USES files outside the site directory, the directory needs to be set separately in the corresponding VirtualHost;
After setting up, remember to find a PHP nethorse (e.g., phpspy) to play, test whether there is a problem, no surprise, the permissions should be fairly well controlled.
We have any PHP security configuration experience, welcome to share the exchange.