Securing php

[linuxprovider]

Dear All

I have Securing my php by make safe mode on and disable some functions

but now am facing annoying things from my customers as they create a php.ini
on there sites and enable what they wish like make safe mode off

plz How could i stop that
make this file (php.ini) useless on there sites

[chirpy]

IIRC, if you install Zend Optimizer local php.ini files are ignored:

/scripts/installzendopt

[linuxprovider]

Dear chirpy

I have allready installed Zend opt
And am running php as cgi ( phpsuexec )

and my customers still can disable safe mode

[rejected]

Hi,
In there vHost add php_admin_value safe_mode on and they cant turn it off

[linuxprovider]

Thanks

But am runnig php as cgi (phpsuexec)


so i can not add php_admin_value at httpd.conf

[Spiral]

Dear All

I have Securing my php by make safe mode on and disable some functions

but now am facing annoying things from my customers as they create a php.ini
on there sites and enable what they wish like make safe mode off

plz How could i stop that
make this file (php.ini) useless on there sites

I personally don't recommend phpSuExec because of reasons like this and
also that it creates more security risks than those it is supposed to fix.

I do, however, very strongly recommend SuPHP as it gives you all the benefits
of phpSuExec without any of the negatives (performance, security, etc).

Under EDGE with Apache 2, SuPHP can be installed automatically

Under all other trees with Apache 1.x, SuPHP would have to be installed
manually by hand since it's not currently directly supported by Cpanel
for Apache 1.x even though the latest release of SuPHP supports
the earlier versions of Apache.

Now with that said, there are a few things that can be done to improve
the situation with phpSuExec:

1. Install Zend Optimizer (/scripts/installzendopt 3.2.6)

2. Make sure your PHP is at least PHP 5.1.6 minimum and I strongly
recommend using PHP 5.2.1 as this will directly remove the
custom php.ini ability of the users.

3. Install SuHosin patch and / or extension

4. If you want to get really slick on your users, you can setup a cron job
to search for and remove custom php.ini files at regular intervals
(Basic example: find /home/*/public_html -type 'f' -name 'php.ini' -print | xargs rm -f)

I am not a very big fan of "safe mode" though because there is a
number of weaknesses with that which are pretty well known and it is
usually better to custom configure the security of all the relevant areas
such as disable dynamic load modules, enable openbase restrictions,
lock down dangerous functions with disable_functions, etc