0

I have Apache 2.4 with PHP 5.5.14 installed on latest Debian. According to Apache security tips&tricks I've set my httpd.conf to this:

<Directory />
  AllowOverride none
  Require all denied
</Directory>
<Directory "/var/www">
  Options FollowSymLinks
  AllowOverride none
  Require all granted
</Directory>

I restart the Apache server and run this PHP code:

<?php
  $filename = "/etc/passwd";
  $handle = fopen($filename, "r");
  $contents = fread($handle, filesize($filename));
  fclose($handle);
  echo($contents);
?>

The code gets the whole /etc/passwd file and I consider it a huge security issue. Now, I've been trying to solve this for a couple of days now simply by reading the manuals, but I had no luck yet. I'd appreacte a push in the right directions, thanx.

Kevin Kopf
  • 117
  • 6
  • how about open_basedir parameter? http://www.php.net/manual/en/ini.core.php#ini.open-basedir – masegaloeh Jul 03 '14 at 02:37
  • Now, I feel stupid because that's exactly the solution I was looking for. Missed it in the php.ini... Post it as answer and I'll mark it. Thanx! – Kevin Kopf Jul 03 '14 at 02:49

2 Answers2

2

But be aware that open_basedir will just restrict directory access for PHP functions and the like but not for external programs that are being executed via PHP. For example:

    <?php
    $file = shell_exec('cat /etc/passwd');
    echo $file;

will output the contents of the /etc/passwd file without a problem, because the filesystem access is not invoked by PHP itself but the cat program. cat is run by the www-data user by default (on Debian), so just regular OS file access permissions will apply here (i.e access for file owner, group and world).

To prevent that, you can either

  • disable functions like exec(), passthru(), system(), shell_exec() that execute shell commands via disable_functions in your php.ini,
  • change the permission of the files, so the user running the webserver (or PHP) doesn't have permission to read the file or
  • put Apache or PHP in a chroot jail (though I've never tried that myself).

Depending on your Apache/PHP configuration and your needs, the disable_functions is probably the easiest to set up, but it will likely break things like ImageMagick and stuff, that is often with exec() (like exec('/usr/bin/convert ...') for ImageMagick).

I tested that on Debian Squeeze with Apache and PHP as mod_php from the repositories and Ubuntu 14.04 with Apache and PHP run via php-fpm, also with the packages from the repository. Probably that will also apply to PHP on Windows, but I never tried that... though cat /etc/passwd won't work :-)

Thomas
  • 129
  • 4
  • Thanx a lot for the tip! I realize that, I already disabled some functions that might compromise my system. – Kevin Kopf Jul 11 '14 at 07:30
0

You can use parameter open_basedir defined in php.ini. This parameter will prevent the PHP script accessing file (such as fopen() or include()) outside the directory specified in open_basedir. See this page for documentation.

masegaloeh
  • 18,236
  • 10
  • 57
  • 106