PHP security measures and safe mode

PHP’s safe mode was established to try to solve the security problem of shared-server. Structurally, it makes no sense to try to solve this problem on the PHP layer, but modifying the web server layer and operating system layer seems very unrealistic. So many people, especially ISPs, currently use safe mode.

The following are the safe mode settings in php.ini:

safe_mode boolean

Whether to enable PHP’s safe mode.

safe_mode_gid boolean

By default, safe mode will do a UID comparison check when opening a file. If you want to relax it to GID comparison, turn on safe_mode_gid. Whether to use UID (FALSE) or GID (TRUE) to check when accessing files.

safe_mode_include_dir string

Bypass UID/GID checks when including files from this directory and its subdirectories (directories must be in include_path or included with full paths).

Starting from PHP 4.2.0, this directive can accept paths separated by colons (semicolons on Windows) in a similar style to the include_path directive, instead of just a directory. The specified limit is actually a prefix, not a directory name. This means that "safe_mode_include_dir = /dir/incl" will allow access to "/dir/include" and "/dir/incls" if they exist. If you wish to restrict access to a specific directory, add a trailing slash, for example: "safe_mode_include_dir = /dir/incl/". If the value of this directive is empty, files with different UID/GID in PHP 4.2.3 and onward will not be included. In earlier versions, all files could be included.

safe_mode_exec_dir string

If PHP uses safe mode, system() and other program execution functions will refuse to start programs that are not in this directory. Must use / as directory separator, including on Windows.

safe_mode_allowed_env_vars string

Setting certain environment variables may be a potential security gap. This directive contains a comma separated list of prefixes. In safe mode, users can only change environment variables whose names have the prefix provided here. By default, users can only set environment variables starting with PHP_ (e.g. PHP_FOO = BAR).

Note:

If this directive is empty, PHP will allow the user to modify any environment variable!

safe_mode_protected_env_vars string

This command contains a comma-separated list of environment variables that end users cannot use putenv() to change. These variables cannot be changed even when allowed modifications are set in safe_mode_allowed_env_vars.

When safe_mode is set to on, PHP will check through the file function or its directory whether the owner of the current script matches the owner of the file to be operated on. For example:

-rw-rw-r--    1 rasmus   rasmus       33 Jul  1 19:20 script.php
-rw-r--r--    1 root     root       1116 May 26 18:01 /etc/passwd

Run script.php

<?php
readfile(&#39;/etc/passwd&#39;);
?>

If safe mode is activated, this will result in the following error:

Warning: SAFE MODE Restriction in effect. The script whose uid is 500 is not
allowed to access /etc/passwd owned by uid 0 in /docroot/script.php on line 2

At the same time, there may be environments where relaxed GID checking is sufficient, but Strict UID checking is not appropriate. This check can be controlled with the safe_mode_gid option. If set to On, a relaxed GID check is performed; when set to Off (default), a UID check is performed.

Except for safe_mode, if the open_basedir option is set, all file operations will be restricted to the specified directory. For example:

<Directory /docroot>
  php_admin_value open_basedir /docroot
</Directory>

If you run the same script.php after setting the open_basedir option, the result will be:

Warning: open_basedir restriction in effect. File is in wrong directory in
/docroot/script.php on line 2

You can also block certain functions individually. Please note that the disable_functions option cannot be used outside the php.ini file, which means that functions cannot be blocked by different virtual hosts or different directories in the httpd.conf file. If you add the following to the php.ini file:

disable_functions readfile,system

you will get the following output:

Warning: readfile() has been disabled for security reasons in
/docroot/script.php on line 2

WARNING
Of course, these PHP restrictions do not apply to executable files.