System Advancements at the Monastery

Apr 21st, 2008 by John Gerber

“Coming together is a beginning. Keeping together is progress. Working together is success.” — Henry Ford

Previously, posts discussed PHP Implementation, PHP as a Module, PHP as a CGI, and PHP over FastCGI. This final post discusses some configuration considerations when implementing PHP. Earlier, we copied the file php.ini-recommended to /usr/local/apache/php/lib/php.ini. There are a few options that need to be configured for a more secure environment. The below tables outline some options whose values should be understood and adjusted to your environment. Links, provided by the PHP Security Consortium, supply additional security considerations. No matter which implementation of PHP you choose, make sure to understand the configuration options so you may run PHP as securely as possible.

Variable	Initial Value	Secure Value
allow_url_fopen	Off	Off
If enabled, allows URLs to be treated as files. A large number of code injection vulnerabilities reported in PHP-based web applications are caused by the combination of enabling allow_url_fopen and bad input filtering.
allow_url_include	Off	Off
If enabled, allows remote file access via the include and require statements. If allow_url_fopen is disabled, allow_url_include is also disabled.
display_errors	Off	Off
Determines whether error messages should be sent to the browser. Messages frequently contain sensitive information.
expose_php	On	Off
Decides whether PHP may expose the fact that it is installed on the server. It reports in every request that PHP is being used to process the request, and what version of PHP is installed.
file_uploads	On	Off
Whether to allow HTTP file uploads.
cgi.force_redirect	On	On
Necessary to provide security running PHP as a CGI under most web servers.
disable_functions		openlog
This directive allows you to disable certain functions for security reasons. A malicious user could change the name under which the process is visable to syslog and have the Apache messages appear under a different name.
display_errors	Off	Off
When enabled, display errors in the HTML page as they occur.
display_startup_errors	Off	Off
When enabled, display errors during PHP’s startup sequence.
enable_dl	On	Off
Whether or not to enable the dynamic module loading. This directive is really only useful in the Apache module version of PHP. One could write a custom extension to get around limitations imposed in the configuration file.
error_log		/var/www/logs/php/php_error_log
Log errors to specified file. Consider: cd /var/www/logs ; mkdir php ; chown httpd php
error_reporting	E_ALL	E_ALL
Set error logging to the maximum.
log_errors	On	On
Log errors. If left unspecified, log to Apache error log.
magic_quotes_gpc	Off	Off
Magic quotes for incoming GET/POST/Cookie data. Because it’s inconsistent and ineffective, it’s not recommended that magic_quotes_gpc be enabled.
max_input_time	60	60
Maximum amount of time each script may spend parsing request data. Measure and determine based on your applications.
max_execution_time	30	30
Maximum execution time of each script, in seconds. Measure performance of applications. Decrease the value if possible.
memory_limit	128M	8M
Maximum amount of memory a script may consume (default 128MB). Unless you are sure you need more, keep memory_limit no higher than 8 megabytes.
open_basedir		“/var/www/htdocs/”
If set, limits all file operations to the defined directory and below. Set open_basedir to only allow access to required portions of the filesystem, like your web site’s documents and any shared libraries.
post_max_size	8M	300K
Maximum size of POST data that PHP will accept. By setting a realistic value here you can mitigate some of the damage by those attacks. Value should be slightly higher than upload_max_filesize value.
register_globals	Off	Off
Very dangerous. It automatically transforms requested parameters into PHP global paramters.
safe_mode	Off	On
An attempt to enhance security imposing a series of restrictions making execution more secure. A full list of safe_mode restrictions can be viewed off the PHP site.
safe_mode_exec_dir		/var/www/bin
When safe_mode is on, only executables located in the safe_mode_exec_dir will be allowed to be executed via the exec family of functions. The following functions are affected: exec(), system, passthru(), popen().
safe_mode_gid	Off	On
Safe Mode does a UID compare check when opening files. If files create files at runtime access problems will occur. Going to relax uid checking, using gid checking instead.
safe_mode_allowed_env_vars	PHP_	PHP_
With safe mode, write access to environment variables is restricted. Only variables with listed prefixes may be modified.
safe_mode_protected_env_vars	LD_LIBRARY_PATH	LD_LIBRARY_PATH
Forbids certain variables from being altered.
session.save_path	/tmp	/var/www/sessions
This setting specifies where session files should be saved when using the default session handler. Set save_path to a folder that is outside the document root of your web site and not readable or writable by any other system users. Any user who can list the contents of the /tmp folder can learn all active session identifiers and hijack sessions. Consider: cd /var/www ; mkdir sessions; chown httpd sessions
session.referer_check
When enabled, PHP will check the contents of the Referer request header. It will protect against from simple cross-site request forger (CSRF) attacks.
upload_max_filesize	2M	256K
Maximum allowed size for uploaded files. Attackers may attempt to send grossly oversized files to exhaust your system resources.
upload_tmp_dir	/tmp	/var/www/tmp
Set upload_tmp_dir to a folder that is outside the document root of your web site and not readable or writable by any other system users. System default normally /tmp will be used. Consider cd /var/www ; mkdir tmp; chown httpd tmp
use_trans_sid	Off	Off
When use_trans_sid is enabled, PHP will pass the session ID via the URL. This makes it far easier for a malicious party to obtain an active session ID and hijack the session. Disable use_trans_sid in your PHP environment.