Security mode safe_mode configuration tutorial in php

  • 2020-05-06 12:06:17
  • OfStack

(1) turns on php's safe mode

php's security mode is an important built-in security mechanism that controls some of the functions in php, such as system() and
At the same time, a lot of file manipulation functions for permission control, also do not allow the file of some key files, such as /etc/passwd,
But the default php.ini is not in safe mode, so let's turn it on:
safe_mode = on


(2) user group security

When safe_mode is opened, safe_mode_gid is closed, and the php script is able to access the file as
Users of the group can also access the file.
Recommended setting:

safe_mode_gid = off

If we don't set this up, we may not be able to manipulate the files in our server's website directory, for example, we need
When operating on a file.


(3) the program home directory
in secure mode
If
is in safe mode, but is about to execute something, you can specify the home directory of the program to execute:

safe_mode_exec_dir = D: / usr bin

Generally, there is no need to execute any program, so it is recommended not to execute the system program directory, you can point to a directory,
Then copy the program that needs to be executed, such as

safe_mode_exec_dir = D: / tool exe

However, I prefer not to execute any programs, so you can point to our web directory:

safe_mode_exec_dir = D: / usr www


(4) contains files
in secure mode
if you want to include some public files in secure mode, change the option:

safe_mode_include_dir = D: / usr www/include/

In fact, the files included in php script are usually written by the program itself, which can be set according to specific needs.


(5) control the directories
script can access
Use the open_basedir option to control that the PHP script can only access the specified directory, thus preventing the PHP script from accessing
The files that should not be accessed limit the damage of phpshell to a certain extent. We can generally set it to only access the website directory:

open_basedir = D: / usr www


(6) closes the danger function

If the safe mode is turned on, then the function ban is not needed, but we still consider it for the sake of security. For example,
We don't think we want to execute the php function that has system() and so on there that can execute the command, or
that can view the php information Functions such as phpinfo(), then we can disable them:

disable_functions = system passthru, exec shell_exec, popen, phpinfo

If you want to disable any file or directory operations, you can close many file operations


disable_functions=chdir,chroot,dir,getcwd,opendir,readdir,scandir,fopen,unlink,delete,

copy,mkdir,rmdir,rename,file,file_get_contents,fputs,fwrite,chgrp,chmod,chown

The above is just a list of some of the file processing functions that are not commonly used, you can also combine the above command function with this function,
You can resist most phpshell.


(7) closes the leak of PHP version information in the http header

In order to prevent hackers from accessing the php version of the server's information, we can turn off this information in the http header:

expose_php = Off

For example, a hacker at telnet www.target.com 80 will not be able to see PHP's message.


(8) closes the registered global variable

Variables submitted in PHP, including those submitted using POST or GET, are automatically registered as global variables and can be accessed directly,
This is very insecure for the server, so we can't make it register as a global variable, just turn off the register global variable option:
register_globals = Off
Of course, if this is set, then the corresponding variables should be obtained in a reasonable way, such as var,
, GET submitted variables Then you need to use $_GET['var'] to get the php programmer.


(9) opens magic_quotes_gpc to prevent SQL from injecting

The injection of SQL is a very dangerous problem, for example, the background of the website can be broken into, or the whole server can be destroyed
So be careful. php.ini has one setting:

magic_quotes_gpc = Off

This is off by default, and if it is turned on it will automatically turn the user over to sql's query,
For example, 'to' and so on, which has a significant effect on preventing sql injection. So we recommend

magic_quotes_gpc = On


(10) error message control

Generally php will have an error when it is not connected to the database or otherwise. Generally, the error message will contain the php script when
The previous path information or the SQL statement of the query is not safe after such information is provided to the hacker, so it is generally recommended that the server prohibit the error prompt display_errors = Off

If you do want to display an error message, be sure to set the error level, for example, to display only the warning above:

error_reporting = E_WARNING & E_ERROR

Of course, I still recommend turning off the error.


(11) error log

It is recommended that after turning off display_errors, you can log the error message to find out why the server is running:

log_errors = On

Also set the directory where the error logs are stored. It is recommended that the root apache logs be stored together:

error_log = D: / usr local apache2 / logs/php_error log

Note: the file must allow apache users and groups to have write permissions.


MYSQL runs
with reduced weight
Create a new user like mysql

net user mysql mysql /add

net localgroup users mysql /del

Not belonging to any group

If MYSQL is installed in d:mysql, then give mysql full control, then set the MYSQL service properties in the system services, in the login properties, select this user mysql and enter the password, ok. Restart the MYSQL service, and MYSQL runs with low permissions.

apache's drop weight runs

apache built on windows platform runs system permission by default, giving apache permission to drop.

net user apache apche /add

net localgroup users apache /del

We created a user apche that is not part of any group.

We open the computer manager, select service, click apache service properties, we select log on, select this account, we fill in the account and password created above, restart apache service, ok, apache run under low permissions.

In fact, we can set the permissions of each folder so that the apache user can only do what we want it to do, creating a separate read-write user for each directory.

Related articles: