Security and safemode
Posted by jill (jill), 13 June 2007This is a general question about the use of safe mode.
We first tried safe mode on, but found that scripts which copied or created a file on the server did not work because the script was not the owner of the relevant folders.
We have now turned safe mode off but safe mode gid on, and also made the relevant folders owned by a group, say thisgroup, and then made httpd a member of thisgroup. This seems to be working - so far so great.
I just wondered what others were doing and whether there is a common way of dealing with this, and if so what it is.
Posted by admin (Graham Ellis), 13 June 2007Are the scripts you are running your own scripts / scripts written by your trusted team, or are the written by untrusted users?
Posted by jill (jill), 13 June 2007scripts written by a trusted team
Posted by admin (Graham Ellis), 14 June 2007OK, Jill ...
Safe mode is removed at the next major release of PHP, so it's not a good idea to start relying on it at this stage. The manual states that it is "archticturally incorrect" to have / use it and, indeed, code and directory saftey should be dealt with at OS and user level and not by the PHP so all it's even really been able to do is to provide some help in security and it's not - and never could - plug all the gaps.
With a trusted team, the best bet is to set up the server without these modes, take care of uid and gid issues letting access failures there "bounce" and errors, and check web site user file name inputs to see if they's done anything really nasty (such as "../../../offlimits.txt") to go where they should not. A standard PHP function that everyone includes and uses - do you have a set of header functions on every single page (he asks hopefully) in which you could include this? - it works wonders for us!
Posted by jill (jill), 14 June 2007Graham thanks for your advice. I understand the first paragraph, unfortunately, but not the second. This is probably because I do not know enough, or indeed anything much, about configuring the server.
How do we take care of uid and gid isues? how do we let access failures bounce and how do we let errors bounce, or do you mean access failures bounce and give error messages?
We do validate user inputs to prevent insertion attacks - I will check to see if ../ etc is covered.
The standard php function you mention - do you mean to validate user inputs as mentioned above? or something else?
Thanks for any further help
Posted by jill (jill), 14 June 2007ps - and what would the advice be if the scripts were not written by a trusted team?
Posted by jill (jill), 14 June 2007.. and a further query regarding your ../../../offlimits.txt
we curently use three functions, strip_tags, stripslashes, and htmlentities - is this enough or do we need to do something further?
Thanks again for any further advice
Posted by admin (Graham Ellis), 15 June 2007Have a look here for a quick summary of injection attack possibilities with PHP / things you need to consider is you're writing code that could have a potential hole. Bear in mind that my list may not be complete, and the functions you mention each - if used correctly - deals with a single possible attack type.
For none-trusted users, the approach wouold be to "sandbox" each, as far as possible, in their own are via user accounts and permissions.
Forgive the briefness of my answer this morning - just back in the country yesterday and on a time dealine for a heavy 1-day course today!
PH: 01144 1225 708225 • FAX: 01144 1225 899360 • EMAIL: firstname.lastname@example.org • WEB: http://www.wellho.net • SKYPE: wellho