OpenBSD Journal

PHP Security Tips

Contributed by jose on from the protect-yourself-and-your-server dept.

OnLamp recently ran a two part series on PHP security. Since PHP allows for so much control of web content, it's risky for developers who get caught by a few bugs. However, it's relatively easy to secure your system with well known ideas. The first part of the series was released in late march, and the second part was published about a week ago. Well worth checking out for PHP developers. No sense compromising your OpenBSD server with poor PHP code.

(Comments are closed)


Comments
  1. By Anonymous Coward () on

    Well, ehm, somewhat Off topic maybe, but im kind of need a way to chroot php so my users wont write php code wich browse the filesystem... Right now they can read systemfiles, and other users php code... Is there a simple way to lock php to their homedirs?

    Regards
    Pontus

    Comments
    1. By toxic () on

      save_mode = 1

      Comments
      1. By toxic () on

        Ups:
        safe_mode = On

    2. By Anonymous Coward () on

      open_basedir

      for example, in each vhost definition, i enter

      php_admin_value open_basedir "/home/userhome:/www/userweb"

      i also set a few other things ... i turn on safe mode, set safe_mode_exec_dir, and doc_root

      Comments
      1. By mdr () on

        and don't forge to put /tmp in there :) if you want your users to be able to upload files

        Comments
  2. By Lennie () leen@wirehub.nl on mailto:leen@wirehub.nl

    http://httpd.apache.org/docs-2.0/mod/perchild.html
    http://home.wirehub.nl/~leen/apache/

    Because if the webserver process has the uid/gid of the user, no more worries... no more nobody/www-data crap.

    After all the ftp-server changes the uid/gui, why not something as important as the webserver...?

Latest Articles

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]