nginx+php(fpm-php fastcgi)open_basedir安全设置
实验目的
根据文章”PHP绕过open_basedir列目录的研究”通过测试不同的配置验证本文的绕过basedir的方法是否有效,从而安全配置php open_basedir的目的.
文中后面几个方法都是windwos下采用枚举的方式列出目录,linux下需要做暴力猜解的方式才可以,所以不做测试.
测试”DirectoryIterator + Glob”方式是否可以绕过open_basedir
测试webshell工具”菜刀”是否可以绕过open_basedir
nginx + PHP 5.6.7 fastcgi模式, centos7 linux
目前配置open_basedir有三处地方php-fpm.conf,nginx fastcgi_param,php.ini
下面逐一测试
只在php-fpm.conf中配置
php_admin_value[open_basedir]=/home/wwwroot/:/proc/:/tmp/
结果
open_basedir的目录以外不能读,不能写,不过DirectoryIterator + Glob 可以成功列出全盘文件
open_basedir : /home/wwwroot/:/proc/:/tmp/ -- DirectoryIterator + Glob --. .. .autorelabel bin boot dev etc home lib lib64 media mnt opt proc root run sbin srv sys tmp usr vagrant var
菜刀不可跨出basedir
只在nginx的fastcgi_param配置
# set php open_basedir fastcgi_param PHP_ADMIN_VALUE "open_basedir=$document_root/:/tmp/:/proc/";
这里的”$document_root”是nginx中的变量,为nginx的每个server里的root目录
比如server www.iamle.com配置的root目录为/home/wwwroot/www.iamle.com
认真读php手册有下面这段话
PHP配置值通过 php_value 或者 php_flag 设置,并且会覆盖以前的值。
请注意 disable_functions 或者 disable_classes 在 php.ini 之中定义的值不会被覆盖掉,但是会将新的设 置附加在原有值的后面。使用 php_admin_value 或者 php_admin_flag 定义的值,不能被 PHP代码中的 ini_set() 覆盖。自 5.3.3 起,也可以通过 web 服务器设置PHP 的设定。也就是nignx中fastcgi_param配置php的配置php_flag用来专门设置布尔值,如on, off, 1, 0, true, false, yes, no,而php_value用来设置所有类型的值结果和上面一样open_basedir的目录以外不能读,不能写,不过DirectoryIterator + Glob 可以成功列出全盘文件
菜刀不可跨出basedir
只在php.ini配置
[HOST=www.iamle.com]open_basedir=/home/wwwroot/www.iamle.com/:/proc/:/tmp/[PATH=/home/wwwroot/www.iamle.com/]open_basedir=/home/wwwroot/www.iamle.com/:/proc/:/tmp/
意思是当HOST=www.iamle.com设置open_basedir,当PATH=/home/wwwroot/www.iamle.com/
设置open_basedir,我测试的时候2个任意设置一个都是有效的
结果和上面一样
open_basedir的目录以外不能读,不能写,不过DirectoryIterator + Glob 可以成功列出全盘文件
菜刀不可跨出basedir
个人结论DirectoryIterator + Glob的方式可以列出php服务器上所有文件,看似没什么危害,实际上对于长期的APT绝对有帮助.
open_basedir不是想象的那么安全,说不定别人手上有甚至有能读写open_basedir的0day
个人推荐的nginx + php(fastcgi fpm-php)(lnmp) open_basedir的配置
先设置fpm-php中pool池中的总open_basedir这叫顶层设计,有个总限制,比如统一限制到/home/wwwroot/这样的web目录下再对nginx中单个server 通过 fastcgi_param PHP_ADMIN_VALUE 设置
再对php.ini设置 [HOST=XXX] [PATH=XXX]
三管齐下妈妈再也不用担心我的php open_basedir了(希望吧)
虽然很啰嗦,但是这样岂不是更放心
总而言之就是下面的结果,我就是下面这种啰嗦的配置
#在php-fpm.conf对应的pool池中行尾配置php_admin_value[open_basedir]=/home/wwwroot/:/proc/:/tmp/#在nginx fastcgi fastcgi_param配置#这里用$document_root是一种取巧的方法,也可以设置绝对路径# set php open_basedirfastcgi_param PHP_ADMIN_VALUE "open_basedir=$document_root/:/tmp/:/proc/";#在php.ini行尾配置[HOST=www.iamle.com]open_basedir=/home/wwwroot/www.iamle.com/:/proc/:/tmp/[PATH=/home/wwwroot/www.iamle.com/]open_basedir=/home/wwwroot/www.iamle.com/:/proc/:/tmp/
测试中还发现这三个地方配置的优先级如下
“php.ini” > “nginx fastcgi fastcgi_param” > “php-fpm.conf”

Hot AI Tools

Undresser.AI Undress
AI-powered app for creating realistic nude photos

AI Clothes Remover
Online AI tool for removing clothes from photos.

Undress AI Tool
Undress images for free

Clothoff.io
AI clothes remover

Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!

Hot Article

Hot Tools

Notepad++7.3.1
Easy-to-use and free code editor

SublimeText3 Chinese version
Chinese version, very easy to use

Zend Studio 13.0.1
Powerful PHP integrated development environment

Dreamweaver CS6
Visual web development tools

SublimeText3 Mac version
God-level code editing software (SublimeText3)

Hot Topics

Alipay PHP...

JWT is an open standard based on JSON, used to securely transmit information between parties, mainly for identity authentication and information exchange. 1. JWT consists of three parts: Header, Payload and Signature. 2. The working principle of JWT includes three steps: generating JWT, verifying JWT and parsing Payload. 3. When using JWT for authentication in PHP, JWT can be generated and verified, and user role and permission information can be included in advanced usage. 4. Common errors include signature verification failure, token expiration, and payload oversized. Debugging skills include using debugging tools and logging. 5. Performance optimization and best practices include using appropriate signature algorithms, setting validity periods reasonably,

Session hijacking can be achieved through the following steps: 1. Obtain the session ID, 2. Use the session ID, 3. Keep the session active. The methods to prevent session hijacking in PHP include: 1. Use the session_regenerate_id() function to regenerate the session ID, 2. Store session data through the database, 3. Ensure that all session data is transmitted through HTTPS.

The application of SOLID principle in PHP development includes: 1. Single responsibility principle (SRP): Each class is responsible for only one function. 2. Open and close principle (OCP): Changes are achieved through extension rather than modification. 3. Lisch's Substitution Principle (LSP): Subclasses can replace base classes without affecting program accuracy. 4. Interface isolation principle (ISP): Use fine-grained interfaces to avoid dependencies and unused methods. 5. Dependency inversion principle (DIP): High and low-level modules rely on abstraction and are implemented through dependency injection.

How to debug CLI mode in PHPStorm? When developing with PHPStorm, sometimes we need to debug PHP in command line interface (CLI) mode...

How to automatically set the permissions of unixsocket after the system restarts. Every time the system restarts, we need to execute the following command to modify the permissions of unixsocket: sudo...

Static binding (static::) implements late static binding (LSB) in PHP, allowing calling classes to be referenced in static contexts rather than defining classes. 1) The parsing process is performed at runtime, 2) Look up the call class in the inheritance relationship, 3) It may bring performance overhead.

Sending JSON data using PHP's cURL library In PHP development, it is often necessary to interact with external APIs. One of the common ways is to use cURL library to send POST�...
