PHP configuration and security

dave5398

I have just leased a virtual server running Apache and Linux which I am struggling to configure. I checked the php.ini file where the open_basedir= entry is commented out. I want to put my scripts at a higher level than the publicly accessible directory but I received an error at the statement: include "../scripts/xxx.php" which said: "open_basedir() restriction in effect...." and "allowed path(s): /var/www/..." referring to my specific directory.

My questions are:

(1) Where is the open_basedir option set if not in the php.ini file?

(2) Can I set it using ini_set?

(3) Am I right anyway to want to put my scripts in a higher level directory (because they contain my MySQL username and password in clear text)? Or is there another way to protect that information?

Dave

MarkR

dave5398 wrote:
I have just leased a virtual server

Which kind of virtual server, a real one, or a "fake" virtual server which is really a shared (non-virtual) server just sold as a virtual server?

I want to put my scripts at a higher level than the publicly accessible directory

They will not be able to be run from the web if you do so. Are these CLI scripts designed to be run interactively or from cron?

(1) Where is the open_basedir option set if not in the php.ini file?

Either in some other php.ini file or set in an Apache config file (if you're using Apache).

(2) Can I set it using ini_set?

You can't override it if it's set already.

(3) Am I right anyway to want to put my scripts in a higher level directory (because they contain my MySQL username and password in clear text)? Or is there another way to protect that information?

That is not a reasonable method of doing this.

Normal procedure is to store the application configuration in a single file, which contains define()s with the passwords etc in it.

This file could be placed in a directory under the web root called "include", and will be called config.php. Because of the .php extension, the web server will not serve the file directly to the public anyway.

As another security measure, I typically put

Deny From All

In the .htaccess in this "include/" directory. This doesn't affect PHP's ability to include() or require() files from there, but will prevent the web server accidentally serving any files in there, even in the event of another configuration error.

If it's a shared server, there is nothing you can do to secure it - get a proper dedicated server instead.

Mark

dave5398

Thanks. I hadn't heard of .htaccess files or anthing Linux till 2 days ago!

Do I just put "Deny From All" exactly as is in the file? I do not currently have .htaccess files, should I have?

I did worry about the password in clear, are you sure there is no way for an attacker to read a .php script?

Dave

MarkR

dave5398 wrote:
Do I just put "Deny From All" exactly as is in the file? I do not currently have .htaccess files, should I have?

Only put that in a directory which you want to deny all access to. Obviously don't use it for pages, image directories etc.

I did worry about the password in clear, are you sure there is no way for an attacker to read a .php script?

Not unless there is a configuration error or they have shell access on the server.

In the case of a shared server, consider the fact that everyone else you're sharing it with has shell access, and you're at the mercy of the (probably weak) security of the applications which those (naive) users install.

Mark

dave5398

It's called a Virtual Private Server. It claims to be a partition with it's own version of Apache, MySQL running. You can stop and restart the server, so presumably other users have no access at all to your area. See www.webfusion.co.uk - seems OK. They also stress that someone else's site crashing has no effect on you - can this be right? They do give you SSH root access which does seem to be limited to the one area, at least I've not found a way of moving up a directory level.

As I'm new what's the best book on Apache/PHP security?

Thanks

Dave