The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Securing php

Discussion in 'General Discussion' started by linuxprovider, Apr 24, 2007.

  1. linuxprovider

    linuxprovider Active Member

    Joined:
    Mar 4, 2004
    Messages:
    28
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    egypt
    Dear All

    I have Securing my php by make safe mode on and disable some functions

    but now am facing annoying things from my customers as they create a php.ini
    on there sites and enable what they wish like make safe mode off

    plz How could i stop that
    make this file (php.ini) useless on there sites
     
  2. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    IIRC, if you install Zend Optimizer local php.ini files are ignored:

    /scripts/installzendopt
     
  3. linuxprovider

    linuxprovider Active Member

    Joined:
    Mar 4, 2004
    Messages:
    28
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    egypt
    Dear chirpy

    I have allready installed Zend opt
    And am running php as cgi ( phpsuexec )

    and my customers still can disable safe mode
     
  4. rejected

    rejected Well-Known Member

    Joined:
    Sep 19, 2006
    Messages:
    48
    Likes Received:
    0
    Trophy Points:
    0
    Hi,
    In there vHost add php_admin_value safe_mode on and they cant turn it off :)
     
  5. linuxprovider

    linuxprovider Active Member

    Joined:
    Mar 4, 2004
    Messages:
    28
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    egypt
    Thanks

    But am runnig php as cgi (phpsuexec)


    so i can not add php_admin_value at httpd.conf
     
  6. Spiral

    Spiral BANNED

    Joined:
    Jun 24, 2005
    Messages:
    2,023
    Likes Received:
    7
    Trophy Points:
    0
    I personally don't recommend phpSuExec because of reasons like this and
    also that it creates more security risks than those it is supposed to fix.

    I do, however, very strongly recommend SuPHP as it gives you all the benefits
    of phpSuExec without any of the negatives (performance, security, etc).

    Under EDGE with Apache 2, SuPHP can be installed automatically

    Under all other trees with Apache 1.x, SuPHP would have to be installed
    manually by hand since it's not currently directly supported by Cpanel
    for Apache 1.x even though the latest release of SuPHP supports
    the earlier versions of Apache.

    Now with that said, there are a few things that can be done to improve
    the situation with phpSuExec:

    1. Install Zend Optimizer (/scripts/installzendopt 3.2.6)

    2. Make sure your PHP is at least PHP 5.1.6 minimum and I strongly
    recommend using PHP 5.2.1 as this will directly remove the
    custom php.ini ability of the users.

    3. Install SuHosin patch and / or extension

    4. If you want to get really slick on your users, you can setup a cron job
    to search for and remove custom php.ini files at regular intervals
    (Basic example: find /home/*/public_html -type 'f' -name 'php.ini' -print | xargs rm -f)

    I am not a very big fan of "safe mode" though because there is a
    number of weaknesses with that which are pretty well known and it is
    usually better to custom configure the security of all the relevant areas
    such as disable dynamic load modules, enable openbase restrictions,
    lock down dangerous functions with disable_functions, etc
     
Loading...

Share This Page