Installé en tant que module Apache

Lorsque PHP est compilé en tant que module Apache, ce module hérite des permissions accordées à l'utilisateur faisant tourner Apache (par défaut, l'utilisateur "nobody"). Cela à plusieurs impacts sur la sécurité et les autorisations. Par exemple, si vous utilisez PHP pour accéder à une base de données, à moins que la base n'ait un système de droits d'accès interne, vous devrez rendre la base accessible à l'utilisateur "nobody". Cela signifie qu'un script mal intentionné peut accéder à la base, la modifier sans identification. Il est aussi possible qu'un robot accède à la page d'administration, et détruise toutes les pages. Vous devez aussi protéger vos bases de données avec les autorisations Apache, ou définir votre propre modèle d'accès avec LDAP, .htaccess, etc. et inclure ce code dans tous vos scripts : PHP.

Souvent, lorsqu'on a établi les droits de l'utilisateur PHP (ici, l'utilisateur Apache) pour minimiser les risques, on s'aperçoit que PHP ne peut plus écrire de virus dans les fichiers des utilisateurs. Ou encore, modifier une base de données privée. Il est aussi incapable de modifier des fichiers qu'il devrait pouvoir modifier, ou effectuer certaines transactions.

Une erreur fréquente de sécurité est de donner à l'utilisateur Apache les droits de superadministrateur ou d'améliorer les possibilités d'Apache d'une autre façon.

Donner de telles permissions à l'utilisateur Apache est extrêmement dangereux, et peut compromettre tout le système, telle que l'utilisation des sudo ou du chroot. Pour les novices de la sécurité, une telle utilisation est à exclure d'office.

Il existe des solutions plus simples. En utilisant open_basedir vous pouvez contrôler et restreindre l'accès à certains dossiers qui pourront être utilisés par PHP. Vous pouvez aussi créer des aires de restrictionsApache, pour restreindre les activités anonymes liées aux internautes.

Sécurité des fichiers

Cas 4 : L'exécutable PHP à l'extérieur de l'arborescence du serveur

[edit] Last updated: Fri, 25 May 2012

add a note User Contributed Notes Installé en tant que module Apache

bk 2 at me dot com 24-Feb-2012 05:17


doc_root already limits apache/php script folder locations.



open_basedir is better used to restrict script access to folders

which do NOT contain scripts. Can be a sub-folder of doc_root as in php doc example doc_root/tmp, but better yet in a separate folder tree, like ~user/open_basedir_root/. Harmful scripts could modify other scripts if doc_root (or include_path) and open_basedir overlap.

If apache/php can't browse scripts in open_basedir, even if malicious scripts uploaded more bad scripts there, they won't be browse-able (executable). 



One should also note that the many shell execute functions are effectively a way to bypass open_basedir limits, and such functions should be disabled if security demands strict folder access control. Harmful scripts can do the unix/windows version of "delete */*/*/*" if allowed to execute native os shell commands via those functions. OS Shell commands could similarly bypass redirect restrictions and upload file restrictions by just brute force copying files into the doc_root tree. It would be nice if they could be disabled as a group or class of functions, but it is still possible to disable them one by one if needed for security.



PS. currently there is a bug whereby the documented setting of open_basedir to docroot/tmp will not work if any include or require statements are done. Right now include will fail if the included php file is not in BOTH the open_basedir tree and the doc_root+include_path trees. Which is the opposite of safe.

This means by any included php file must be in open_basedir, so is vulnerable to harmful scripts and php viruses like Injektor.

Vikanich 14-Aug-2008 04:41


Big thanks to "daniel dot eckl at gmx dot de" but i have to change his config, because it doesn't work (may be wrong syntax).

I have add only this string to VirtualHost config and it works.

php_admin_value open_basedir  /www/site1/

Now all php scripts are locked in the directory.

Kibab 30-Sep-2005 06:56


I'm running Windows version of Apache with php as module. System is Windows XP Service Pack 2 on NTFS filesystem. To avoid potential security problems, I've set Apache to run under NT AUTHORITY\Network Service account, and there is only one directory, named Content, with Full Access for this account. Other directories are either not accessible at all or with readonly permissions (like %systemroot%)... So, even if Apache will be broken, nothing would happen to entire system, because that account doesn't have admin privilegies :)

tifkap 01-Mar-2004 03:21


There is a safe way to support a lot of users in a secure way, without having to use CGI, in a way which is probebly faster

than mod_php.



Use FastCGI, with the SuExecWrapper set to your suid wrapper. It means every user wil get his own program-group, with processes

which are being reused. If the numer of processes that is being 

started on startup is 0, then the processgroup for a user will be generated when needed.



This means: The first page is slow, after that the Zend Engine  caching kicks in. When the load on the virtualhost reduces, the

processes wil die off, and extra processes for a user-process-group 

will only be started when (again) needed.



Your apache will be a LOT! lichter, because it won't have to drag all

the php-memory overhead with it. This means static content is 

faster, and the whole system uses less memory. 

The PHP itself also won't need to drag along the apache overhead.



If for one reason or the other php craches, your apache will simple 

start some new php-processes. If you want to upgrade/patch php, 

you can simple create the new fastcgi binary, and after testing, you can simple update the system by copying it, and maybe doing a 

'apachectl gracefull'



In short :  Sepparating distinct functions in different processes 

                communicating useing IPC methodes can be very good

                for performance and security. The best example of this

                principle at work is Postfix, where every process runs 

                chroot() under its own uid.



http://wiki.openisis.org/i/view/Php/HowtoFastCgi

Georgee at CWC 30-Apr-2003 06:16


Additional CAUTION to anyone trying Pollux's solution:

It's kind a good. Probably works right. I think I'll give it a try myself. BUT...

its safe ONLY on the assumption that apache is 100% CLEAN. (codes and confs.) Any flaws on apache, almost ANYTHING could happen to ALL users -precisely, web users. (Because apache is a member of ALL -again, web user's- GID.) So, leeps's hint should be one of the important things.



There is nothing close to perfect. What I wrote is just one thing you'll have to keep in mind. So, consider carefully BEFORE you try this solution. (Well, this applies to any other solutions though...)

leeps 10-Mar-2003 05:59


@pollux: additionally, tell your users to set their file-permissions to

- r-- (group) for files

- --x (group) for directories.



this disables the webserver to browse user's directory. if you don't know the filename, you cannot open it, e.g. by running malicious php-code through one of the users scripts.

daniel dot eckl at gmx dot de 08-Aug-2002 04:16


There is a better solution than starting every virtual host in a seperate instance, which is wasting ressources.



You can set open_basedir dynamically for every virtual host you have, so every PHP script on a virtual host is jailed to its document root.



Example:

<VirtualHost www.example.com>

  ServerName www.example.com

  DocumentRoot /www-home/example.com

[...]

  <Location />

    php_admin_value open_basedir     \ "/www-home/example.com/:/usr/lib/php/"

  </Location>

</VirtualHost>



If you set safe_mode on, then the script can only use binaries in given directories (make a special dir only with the binaries your customers may use).



Now no user of a virtual host can read/write/modify the data of another user on your machine.



Windseeker

add a note