Hardening/PHP
Jump to navigation
Jump to search
php.ini
Some basic modifications on php.ini to harden our PHP installation. Use with care; different applications might need different settings.
; Be sure to add those trailing slashes to tighten the restriction! open_basedir = /usr/share/php/:/usr/share/phpmyadmin/:/var/www/ disable_functions = apache_get_modules, apache_get_version, apache_getenv, apache_note, apache_setenv, chgrp, chown, closelog, debugger_off, debugger_on, define_sys, define_syslog_variables, disable_functions, diskfreespace, dl, escapeshellarg, escapeshellcmd, exec, fpaththru, getmypid, getmyuid, highlight_file, ignore_user_abord, ini_restore, leak, link, listen, openlog, passthru, pclose, pcntl_alarm, pcntl_exec, pcntl_fork, pcntl_get_last_error, pcntl_getpriority, pcntl_setpriority, pcntl_signal, pcntl_signal_dispatch, pcntl_sigprocmask, pcntl_sigtimedwait, pcntl_sigwaitinfo, pcntl_strerror, pcntl_wait, pcntl_waitpid, pcntl_wexitstatus, pcntl_wifexited, pcntl_wifsignaled, pcntl_wifstopped, pcntl_wstopsig, pcntl_wtermsig, popen, posix, posix_ctermid, posix_getcwd, posix_getegid, posix_geteuid, posix_getgid, posix_getgrgid, posix_getgrnam, posix_getgroups, posix_getlogin, posix_getpgid, posix_getpgrp, posix_getpid, posix_getppid, posix_getpwnam, posix_getpwuid, posix_getrlimit, posix_getsid, posix_getuid, posix_isatty, posix_kill, posix_mkfifo, posix_setegid, posix_seteuid, posix_setgid, posix_setpgid, posix_setsid, posix_setuid, posix_times, posix_ttyname, posix_uname, proc_close, proc_get_status, proc_nice, proc_open, proc_terminate, shell_exec, show_source, source, symlink, syslog, system, tmpfile, url_exec, virtual, xgetmypid, ini_set ; Note: A few functions have been left enabled, because certain software depends on it: ; get_loaded_extensions - piwik-svn/libs/upgradephp/upgrade.php on line 462 ; in_array() expects parameter 2 to be array, null given ; in piwik-svn/libs/upgradephp /upgrade.php on line 462 ; http://stackoverflow.com/questions/8313247/in-array-giving-warning-message ; getenv - mediawiki-git/includes/WebStart.php on line 85 ; putenv - mediawiki-git/LocalSettings.php on line 111 ; getmypid - zenphoto/zp-core/functions-basic.php on line 1045 ; phpversion - mediawiki-git/index.php on line 43 ; php_uname - mediawiki-git/includes/GlobalFunctions.php on line 2455 ; proc_open - pnp4nagios: Undefined variable: pipes, application/models/rrdtool.php [36] ; proc_close - pnp4nagios: proc_close() has been disabled for security reasons, application/models/rrdtool.php [52] ; phpinfo ; chmod, copy, mkdir, rename, rmdir, touch, unlink ; See http://php-security-audit.com/script/view/ disable_classes = splfileobject expose_php = Off max_execution_time = 90 error_reporting = E_ALL | E_STRICT ; $ touch /var/log/misc/php.log ; $ chown www-data:www-data /var/log/misc/php.log error_log = /var/log/misc/php.log post_max_size = 32M upload_tmp_dir = /var/lib/php5/ upload_max_filesize = 32M allow_url_fopen = Off date.timezone = "Europe/Berlin" session.gc_probability = 1 ; 604800 = 7d ; 86400 = 1d ; 1440 = 24min session.gc_maxlifetime = 604800
Note:
- We disabled the ini_set() function, otherwise applications may call ini_set to reset globally set options, i.e. memory limits or error reporting.
Suhosin
Some PHP distributions are patched with Suhosin. The Suhosin-Extension provides an advanced protection module for php5, that can be configured via /etc/php5/conf.d/suhosin.ini:
extension=suhosin.so ; Note: when suhosin.simulation is activated, transparent session encryption is still active. ;suhosin.simulation = off ;suhosin.session.encrypt = off ; Protect against filesystem traversals via ../../ suhosin.executor.include.max_traversal = 4 ; May be needed for http://zenphoto.org/ ; PHP Fatal error: SUHOSIN - Use of eval is forbidden by configuration ; in ../zenphoto/zp-core/functions-basic.php(107) : eval()'d code on line 107 ; ; Disable eval() suhosin.executor.disable_eval = on ; May be needed for http://zenphoto.org/ ; PHP Fatal error: SUHOSIN - Use of preg_replace() with /e modifier is forbidden by configuration ; in ../zenphoto/zp-core/lib-kses.php(87) : regexp code on line 87 ; ; Disable the /e modifier in preg_replace() suhosin.executor.disable_emodifier = on ; May be needed for wgResourceLoaderMaxQueryLength (Mediawiki) suhosin.get.max_value_length = 1024
There are many other options, most of them could be left at their default value. YMMV.