Safe mode and open base dir

[Tonia]

I have some security questions:


1) How safe is safe mode

3) must i turn open base dir on or off to be the on the safest side ?

 

[smtalk]

1) http://www.php.net/features.safe-mode
2) open_basedir should be on

 

[nobaloney]

Martynas, your post brings up a good question.

Has whatever security problem existing in Apache that led to safe_mode been fixed? If so what are they, and what steps do we take before we upgrade to PHP 6?

Jeff

 

[smtalk]

jlasman, could you explain your 1st question? About the 2nd - CustomBuild 1.2 will do everything that's needed for PHP6 (it will install ICU and add needed lines to the main httpd (apache) configuration file). Virtualhost templates are PHP6 compatible now (from DirectAdmin 1.31).

 

[nobaloney]

Sure, Martynas.

On the page on the PHP site you posted, the PHP staff writes that the purpose of safe_mode was to fix something that should have been fixed in apache.

I just want to know how we're going to protect our sites into the future, without breaking sites that are on our systems now.

Jeff

 

[smtalk]

Where do you see that? Could you post a quote?

 

[nobaloney]

Sure:

The PHP safe mode is an attempt to solve the shared-server security problem. It is architecturally incorrect to try to solve this problem at the PHP level, but since the alternatives at the web server and OS levels aren't very realistic, many people, especially ISP's, use safe mode for now.

Right above the Warning box on this page.

Jeff

 

[smtalk]

From PHP meeting notes:

http://www.php.net/~derick/meeting-notes.html#id14 Issue: safe_mode is a feature in PHP that checks whether files to be opened or included have the same GID/UID as the starting script. This can cause many problems, for example if an application generates a cache file, it will do this with the user ID that belongs to the web server (usually "nobody"). As an application is usually uploaded by the user belonging to the web account (say "client") the scripts can no longer open the files that the application. The same problems happen when for example an application generates an image.
Discussion: As safe_mode is a name that gives the wrong signals as making PHP safe, we all agreed that we should remove this function. It can never be made totally safe as there will always be ways to circumvent safe_mode through libraries. This kind of functionality also better belongs in the web server or other security scheme. open_basedir is a feature that we will keep, and we will point users to this functionality in the error message that is thrown when we detect this setting on start-up.
Conclusions:

1. We remove the safe_mode feature from PHP.
2. We throw an E_CORE_ERROR when starting PHP and when we detect the safe_mode setting.

 

[nobaloney]

It's easy enough to discuss that the functionality belongs in the the web server.

My question is simply, what can we do in the web server?

Jeff

 

[smtalk]

Chroot it Or run PHP as CGI. There are many ways to secure PHP without the safe_mode setting.

 

[Chrysalis]

I think it was all too easy for them to just remove safe mode a better solution would have been to call safe mode something else if they felt the name was misleading as to me it looks like its just done to lighten the workload for the php team.

 

[nobaloney]

And since we've all been taught to use it, I still have no idea what to do now that I'm not supposed to use it anymore.

I suppose it's good that I'm not a PHP programmer, but I think I'd really like to see a How-To on how to create a safe environment that will work with current accounts, and not require safe_mode.

It would be helpful to a lot of systems administrators who are not PHP programmers.

Jeff

 

[smtalk]

Just an addition to the thread.. A great guide for server security: http://help.directadmin.com/item.php?id=247