php security

I’m not big on php (i write in coldfusion) but i have a number of clients hosted that do use php. I’ve been looking over the setup of php on my system, which is the default settings that virtualmin gave me. One thing that struck me was that although eash virtual host is using suexec, php’s fopen() function can be used to read any globally readable file (like /etc/passwd). This seems to be a bit of a problem.

I found the following apache directive "php_admin_value open_basedir /home/mydir/" which seems to fix this.

My default template looks like this

ServerName ${DOM}
ServerAlias www.${DOM}
DocumentRoot ${HOME}/public_html
ErrorLog ${HOME}/logs/error_log
CustomLog ${HOME}/logs/access_log common
ScriptAlias /cgi-bin/ ${HOME}/cgi-bin/
<Directory ${HOME}/public_html>
Options Indexes IncludesNOEXEC FollowSymLinks
allow from all
php_admin_value open_basedir ${HOME}
</Directory>

Does anyone with php experience know of any problems using this?

Joe, maybe this should be in the default server template by default, if there no side effects.

Also there is the php “safe_mode” flag which can be turned on, but i don’t know what side effects that might have, especially with things like script installers.

Any thoughts…

Hi Chris,

This is a known problem and will appear in several places within PHP, I found the best solution is to install suPHP which chroot’s PHP not only to the directory but ensures all commands are executed unser their user id.

Additionall you will find similar problems with perl & ssi if you do not configure them correctly.

Hey Guys,

I agree this is an important issue…I am working on a FastCGI feature in Virtualmin that should be available pretty soon–probably by this weekend. It will not only allow SuExec features for PHP, it will also allow the use of both PHP4 and PHP5 simultaneously within the same Apache process. Users and Script Installers can then choose the version of PHP that best suits their needs. It’ll be neat.