<meter id="pgsoe"></meter>

<code id="pgsoe"><u id="pgsoe"></u></code>

<acronym id="pgsoe"><video id="pgsoe"></video></acronym>
    1. <label id="pgsoe"></label>
  • <acronym id="pgsoe"><legend id="pgsoe"><blockquote id="pgsoe"></blockquote></legend></acronym>
      <label id="pgsoe"></label>
    <acronym id="pgsoe"></acronym>
  • <meter id="pgsoe"><u id="pgsoe"><option id="pgsoe"></option></u></meter>
    <output id="pgsoe"></output>
  • <var id="pgsoe"><ol id="pgsoe"></ol></var>
    LaravelConf Taiwan 2020 CFP Started

    Installed as an Apache module

    When PHP is used as an Apache module it inherits Apache's user permissions (typically those of the "nobody" user). This has several impacts on security and authorization. For example, if you are using PHP to access a database, unless that database has built-in access control, you will have to make the database accessible to the "nobody" user. This means a malicious script could access and modify the database, even without a username and password. It's entirely possible that a web spider could stumble across a database administrator's web page, and drop all of your databases. You can protect against this with Apache authorization, or you can design your own access model using LDAP, .htaccess files, etc. and include that code as part of your PHP scripts.

    Often, once security is established to the point where the PHP user (in this case, the apache user) has very little risk attached to it, it is discovered that PHP is now prevented from writing any files to user directories. Or perhaps it has been prevented from accessing or changing databases. It has equally been secured from writing good and bad files, or entering good and bad database transactions.

    A frequent security mistake made at this point is to allow apache root permissions, or to escalate apache's abilities in some other way.

    Escalating the Apache user's permissions to root is extremely dangerous and may compromise the entire system, so sudo'ing, chroot'ing, or otherwise running as root should not be considered by those who are not security professionals.

    There are some simpler solutions. By using open_basedir you can control and restrict what directories are allowed to be used for PHP. You can also set up apache-only areas, to restrict all web based activity to non-user, or non-system, files.

    add a note add a note

    User Contributed Notes 4 notes

    bk 2 at me dot com
    8 years ago
    doc_root already limits apache/php script folder locations.

    open_basedir is better used to restrict script access to folders
    which do NOT contain scripts. Can be a sub-folder of doc_root as in php doc example doc_root/tmp, but better yet in a separate folder tree, like ~user/open_basedir_root/. Harmful scripts could modify other scripts if doc_root (or include_path) and open_basedir overlap.
    If apache/php can't browse scripts in open_basedir, even if malicious scripts uploaded more bad scripts there, they won't be browse-able (executable).

    One should also note that the many shell execute functions are effectively a way to bypass open_basedir limits, and such functions should be disabled if security demands strict folder access control. Harmful scripts can do the unix/windows version of "delete */*/*/*" if allowed to execute native os shell commands via those functions. OS Shell commands could similarly bypass redirect restrictions and upload file restrictions by just brute force copying files into the doc_root tree. It would be nice if they could be disabled as a group or class of functions, but it is still possible to disable them one by one if needed for security.

    PS. currently there is a bug whereby the documented setting of open_basedir to docroot/tmp will not work if any include or require statements are done. Right now include will fail if the included php file is not in BOTH the open_basedir tree and the doc_root+include_path trees. Which is the opposite of safe.
    This means by any included php file must be in open_basedir, so is vulnerable to harmful scripts and php viruses like Injektor.
    daniel dot eckl at gmx dot de
    17 years ago
    There is a better solution than starting every virtual host in a seperate instance, which is wasting ressources.

    You can set open_basedir dynamically for every virtual host you have, so every PHP script on a virtual host is jailed to its document root.

    <VirtualHost www.example.com>
      ServerName www.example.com
      DocumentRoot /www-home/example.com
      <Location />
        php_admin_value open_basedir     \ "/www-home/example.com/:/usr/lib/php/"

    If you set safe_mode on, then the script can only use binaries in given directories (make a special dir only with the binaries your customers may use).

    Now no user of a virtual host can read/write/modify the data of another user on your machine.

    11 years ago
    Big thanks to "daniel dot eckl at gmx dot de" but i have to change his config, because it doesn't work (may be wrong syntax).
    I have add only this string to VirtualHost config and it works.
    php_admin_value open_basedir  /www/site1/
    Now all php scripts are locked in the directory.
    14 years ago
    I'm running Windows version of Apache with php as module. System is Windows XP Service Pack 2 on NTFS filesystem. To avoid potential security problems, I've set Apache to run under NT AUTHORITY\Network Service account, and there is only one directory, named Content, with Full Access for this account. Other directories are either not accessible at all or with readonly permissions (like %systemroot%)... So, even if Apache will be broken, nothing would happen to entire system, because that account doesn't have admin privilegies :)
    To Top
    金华| 弋阳| 天等| 龙胜| 临武| 贵溪| 繁峙| 淮阴| 乌拉特中旗| 德宏| 易门| 景县| 黄山区| 斋堂| 温宿| 班戈| 叶县| 汇川| 潞江坝| 金川| 隆安| 莲塘| 天祝| 荣县| 黄山市| 化州| 新郑| 怀柔| 浪卡子| 聂拉木| 临夏| 宁蒗| 简阳| 道县| 炉山| 新化| 郁南| 龙山| 张家口| 郫县| 丁青| 呈贡| 洞口| 小二沟| 凤山| 海安| 辰溪| 泸定| 陵水| 雄县| 朝克乌拉| 小灶火| 澄迈| 沂水| 福海| 荔浦| 鄯善| 伊和郭勒| 多伦| 溧阳| 贵溪| 潍坊| 东乡| 衡南| 慈利| 连城| 连山| 察哈尔右翼后旗| 贵定| 连城| 耀县| 东乌珠穆沁旗| 武邑| 三江| 平度| 渠县| 山南| 秀屿港| 博克图| 讷河| 乌什| 德庆| 武安| 峄城| 永清| 孙吴| 乌拉特后旗| 白日乌拉| 苏尼特左旗| 门头沟| 通许| 麦盖提| 新干| 定襄| 长丰| 容城| 紫云| 青浦| 汾西| 天山大西沟| 昆明农试站| 兴宁| 太原北郊| 集宁| 沂水| 河间| 九龙| 依安| 衡阳县| 扎鲁特旗| 遂溪| 鄯善| 越西| 玉树| 营山| 饶河| 铁干里克| 中江| 清原| 宜川| 汾西| 永春| 浠水| 三穗| 滁州| 柘城| 曲麻莱| 硕龙| 宜昌| 衡水| 周宁| 藁城| 临武| 杜蒙| 常州| 遂川| 海力素| 磴口| 临西| 礼泉| 班玛| 丁青| 神池| 雅布赖| 宣威| 平江| 日喀则| 潜江| 信阳| 濮阳| 平南| 兴国| 呼中| 永登| 朝阳| 多伦| 布尔津| 交口| 鄄城| 炮台| 图里河| 白城| 白河| 于洪| 六枝| 澳门| 宕昌| 隆化| 新晃| 南郑| 长阳| 红原| 秀山| 轮台| 嵩县| 砀山| 呼兰| 榆次| 无锡| 平南| 潮州| 厦门| 盐亭| 麻黄山| 二连浩特| 永胜| 山丹| 吐尔尕特| 科尔沁左翼后旗| 利辛| 草河口| 涠洲岛| 集贤| 察尔汉| 兖州| 敦煌| 连云港| 宁安| 九台| 弥渡| 宜章| 太仆寺旗| 临漳| 泸水| 沛县| 乌审召| 渭源| 扎鲁特旗| 来宾| 社旗| 白玉| 图里河| 伊金霍洛旗| 廊坊| 洛阳| 淳安| 富裕| 绥化| 前郭| 琼山| 榕江| 仙居| 黎平| 苍南| 琼结| 托克托| 交口| 万荣| 万载| 中泉子| 大武口| 晋中| 长兴| 普宁| 巴盟农试站| 汤河口| 海宁| 棠荫| 花垣| 松潘| 吉首| 新沂| 蔚县| 喀左| 通什| 盐都| 扶绥| 库车| 永顺| 通化| 华亭| 象州| 满都拉| 吉首| 松潘| 醴陵| 龙陵| 百色| 盐津| 紫金| 马龙| 西平| 河曲| 沾益| 托勒| 防城港| 屏边| 海原| 凯里| 伊春| 福海| 六合| 安仁| 仁化| 汝阳| 延津| 桐柏| 泽库| 石楼| 胡尔勒| 一八五团| 平凉| 白城| 莲花| 泽普| 沙塘| 永登| 黄茅洲| 丽水| 天池| 泾川| 息烽| 八里罕| 平潭| 新巴尔虎左旗| 东兴| 科尔沁左翼后旗| 四平| 昌平| 天镇| 阳高| 商南| 北海| 启东| 平顺| 雅安| 常熟| 讷河| 泾源| 福贡| 晋城| 常山| 昭平| 巴盟农试站| 陵水| 通榆| 巴南| 凌源| 昭平| 吉安| 安阳| 左云| 玉溪| 新余| 华安| 涿鹿| 彭泽| 临河| 永嘉| 重庆| 炮台| 南阳| 新余| 新乐| 神木| 龙口| 两当| 许昌| 永靖| 阿合奇| 高安| 邳州| 安康| 高雄| 安化| 十三间房气象站| 德阳| 共和| 曲江| 赞皇| 长垣| 汉寿| 高力板| 芦山| 塘沽| 大石桥| 乌鞘岭| 武宁| 阜阳| 南城| 马鞍山| 汉寿| 普定| 卓尼| 内邱| 南雄| 哈密| 鸡东| 永春| 梨树| 日喀则| 平谷| 垣曲| 霍城| 西峡| 弋阳| 上高| 湘阴| 泰宁| 如皋| 隆德| 合阳| 金佛山| 黔江| 仙桃| 海阳| 东莞| 沂南| 美姑| 沽源| 范县| 禄劝| 固阳| 台儿庄| 南昌| 镇康| 双江| 丹寨| 象山| 巴仑台