(gs):Improve your PHP security
- This page was last modified on September 9, 2011, at 14:42.
From (mt) Community Wiki
Contents |
This article will help you add several additional layers of security to PHP on your server.
Overview
The (gs) Grid-Service runs PHP as a CGI process. This means that users are able to freely modify their php.ini files, and it's not necessary to reboot the server for changes to take affect as on a traditional server. Since PHP is owned by the same user that owns your files, it's possible for PHP to access any site on your (gs) Grid-Service if left unchecked.
Enter open_basedir
Essentially open_basedir is a way to restrict what directories PHP can access. For example, let's say you had two domains on your (gs) Grid-Service. By default their file structure would be similar to this:
/home/00000/domains/apples.com/html
/home/00000/domains/peaches.com/html
PHP scripts run inside apples.com could technically access other files in peaches.com since they reside on the same server and are owned by the same user. It's rare to have legitimate use of this function, so to protect yourself you'll want to 'quarantine' your sites with open_basedir restrictions. This can easily be done on a per-domain basis with an .htaccess file. You'll want to place this file on the same level as the 'html' directory. Still using apples.com as an example domain, the path should be:
/home/00000/domains/apples.com/.htaccess
Inside this file you'll add the following three lines. All 3 of these lines are required to be present in the .htaccess, at least once, to function properly. You will replace 00000 with your site ID, and apples.com with your domain:
Options +FollowSymLinks
AddHandler php5-script .php
php_value open_basedir /home/00000/domains/apples.com:/tmp:/usr/local:/etc/apache2/gs-bin
This will force your site to run PHP5.
This will prevent all PHP scripts run inside apples.com from accessing peaches.com or any other domain on the same server. However, unless the same fix is also applied for peaches.com, that domain can still freely access other sites on the same server. It's suggested that you set up these open_basedir restrictions on ALL of your sites.
If you need to remove restrictions for a site to access a particular folder, you can easily do so by adding on/modifying the open_basedir. For example, /home/00000/data/anotherfile:
php_value open_basedir /home/00000/domains/apples.com:/tmp:/usr/local:/etc/apache2/gs-bin:/home/00000/data/anotherfile
Further restricting PHP
In addition to open_basedir, you can restrict certain PHP commands that can be used in malicious ways. You'll first want to edit your php.ini located in /home/00000/etc/php.ini to add the following line:
disable_functions = exec, passthru, shell_exec, system, popen
Disabling functions may break legitimate applications that rely on them. For instance, ionCube may not function correctly without access to the 'exec' function. It is your responsibility to be aware of which functions your applications use and adjust your disable_functions list accordingly.
If you have any other functions you would suggest disabling, please feel free to contribute.
Automation
Since (gs) Grid-Service is capable of hosting up to 100 sites, applying open_basedir and disable_functions rules to all content by hand can be a bit tedious. Below, you'll find a shell script that you can download and execute to help take care of this in a few keystrokes. To get started:
- Log into your server via SSH
- Enter the following command to download the file:
wget http://205.186.144.45/gs_basedir.sh
- Run the script:
sh gs_basedir.sh
The script has built-in instructions describing all the options you can run this with. For cautious users, running gs_basedir.sh with the --menu option will bring up very clear step-by-step configuration options. If not already, please ensure the file has 755 permissions.