PHP security

HKI

Verified User
Joined
May 31, 2009
Messages
25
Hello

Hope you all are busy in a good way.

I've run into few things when securing php (we are using PHP in CGI mode w/ suPHP & open_basedir enabled), my main concerns are

1) even open_basedir is enabled, users are able to look other files using for example phpshell, they can see /etc/passwd and when they put username/domain together, they could see users homepage files
2) how to stop users executing/compiling binaries (for example DDOS programs) via exec, system... /tmp is no_exec, but when user uploads such tools to their home dir, they could execute this?

Thank you for suggestions and pointouts.

Regards,
HKI
 
1) if users can do that, you have set open_basedir wrong or you didn't activate Safe Mode
2) you have to remove manually all the functions that do that with disable_functions, there are multiple posts about that in this forum
 
Hello,

Thank you for reply.
1. Safe_mode is disabled, open_basedir seems on, at least phpinfo states so, just not applying to commands executed by phpshell.

Eg.

When using

fopen('/etc/passwd', 'r');

Warning: fopen() [function.fopen]: open_basedir restriction in effect. File(/etc/passwd) is not within the allowed path(s):

This is ok, but when doing:

echo `cat /etc/passwd`;

It works and shows /etc/passwd, same as using phpshell.

2. clear, will follow these posts

Regards,
HKI
 
Thank you, I have considered this (also jailing).

But disabling for example exec, will cause trouble with some scripts/sites.
Is there any option as an alternative for disabling those commands or locking out, so that users could not do that.
I'm looking for option to remain exec and similar command, but not allowing other users to see eachother files.
 
What you are asking can only be done with RBAC systems, where restrictions are done at the syscall level. See SELinux or grsecurity.
If you let a customer to execute anything, there is nothing you can do to prevent him to read any file his user has the right to read. There is no "open_basedir" for system commands.
Most shared hosting companies block any system execution function (exec, system, popen etc) because there often is a PHP-way to do the same thing. See which customer's script/site needs those functions and tell them to use alternatives.
 
Clear, thank you.
Another option would be use DA jail?

Could possibly someone point me out forum thread regarding functions that should be disabled exept exec, system..

Thread which is argumented and does not contain "disable all functions (not knowing what they are doing)" suggestions.

Thanks!

HKI
 
Hi. First of all, check the /etc/passwd chmod and you will see that anybody on the system can see it. Seeing other users is not the worst of all, if everything else is configured right then you dont have to worry about that.

about disable_funtions you should try to add these :
escapeshellarg,escapeshellcmd,dl,shell_exec,exec,passthru,proc_close,proc_get_status,proc_nice,proc_open,proc_terminate,shell_exec,system,posix_access,posix_ctermid,posix_get_last_error,posix_getcwd,posix_getegid,posix_geteuid,posix_getgid,posix_getgrgid,posix_getgrnam,posix_getgroups,posix_getlogin,posix_getpgid,posix_getpgrp,posix_getpid,posix_getppid,posix_getpwnam,posix_getpwuid,posix_getrlimit,posix_getsid,posix_getuid,posix_satty,posix_kill,posix_mkfifo,posix_mknod,posix_setegid,posix_seteuid,posix_setgid,posix_setpgid,posix_setsid,posix_setuid,posix_strerror,posix_tims,posix_ttyname,posix_uname,apache_child_terminate,apache_get_modules,apache_get_version,apache_lookup_uri,apache_note,apache_request_headers,apache_reset_timeout,apache_response_headers,apache_setenv,ascii2ebcdic,ebcdic2ascii,getallheaders,virtual,php_uname,disk_free_space,diskfreespace,disk_total_space,leak,ini_alter,ini_restore,openlog,show_source,highlight_file

Have a nice day
 
Starting with php 5.3 open_basedir could be set by anyone. Is there any method to protect against it (without chroot)?
 
Back
Top