Mar 11, 2007

PHP security settings

Sometimes there is a need to set up a 3rd party script, like a forum, on the dedicated server I am responsible for.

Maybe you remember, a couple years ago a serious security issue was discovered in PHPBB, a very popular forum software at that time, and hundreds of thousands of servers all over the world got infected by a worm. I do remember that case.

So there is a question - how to use a 3rd party script that you don't trust in full?
There are several options I recommend to use upon compilation of PHP, in php.ini and in the VirtualHost section (for some sites).

Here are some settings I personally use in VirtualHost (configuration of Apache web server) to run the potentially unsecure application:

<VirtualHost *>
php_admin_value upload_tmp_dir "/path/to/upload_tmp"
php_admin_value open_basedir "/
php_admin_value disable_functions "shell_exec,exec,system,
passthru,proc_open,popen,curl_exec,pcntl_exec, socket_create,socket_create_listen"


(Note: I have the disable_functions value written in one line without spaces)

There are some security-related settings I have in php.ini on the production servers (PHP 5.2).

;turn on for the sites I need in the per-host config
register_globals = Off

;does not really safe, but too restrictive IMHO
safe_mode = Off

;notices almost always tell about more serious problems
error_reporting = E_ALL

;it doesn't save from the SQL injections anyway
magic_quotes_gpc = Off

;don't allow to execute arbitrary code as a loaded module
enable_dl = Off

;Anti-DOS settings
max_execution_time = 30
memory_limit = 16M
post_max_size = 8M
upload_max_filesize = 6M

;before PHP 5.2 (when allow_url_include was not available) I had it "off"
allow_url_fopen = On

;Never use /tmp, critical projects may need a completely separate storage
session.save_path = "/home/www/sessions"

;I don't allow session id in URLs
session.use_only_cookies = 1

When I set up (compile) PHP on the server, I compile the web server module and the CLI module separately with the different options of the ./configure command.
For the web server module I add "--disable-posix --disable-sockets --disable-ftp --disable-sysvsem --disable-sysvshm --disable-shmop --disable-pcntl"
For the CLI module I have these options "--enable"d.

These settings provide me with almost unlimited flexibility of the the dedicated server environment and good security while running my code (not recommended for the public hosting).
The untrusted code I run as the separate sites, adding the "disable_functions" setting you can see above in the VirtualHost section.

No comments: