PHP Safe Mode

Dec 07, 2009 Author: Developer

Safe Mode

PHP's Safe Mode attempts to provide a degree of basic security in a shared environment, where multiple user accounts exist on a PHP-enabled web server.

When a web server is running PHP in Safe Mode, some functions are disabled completely, and others are available with limited functionality.

Restrictions Enforced by Safe Mode

Functions that attempt to access the filesystem have restricted functionality in Safe Mode. The web server process runs under the same user ID for all web space accounts and must have the appropriate read or write permission to access a file. This is a requirement of the underlying operating system and has nothing to do with PHP itself.

When Safe Mode is enabled and an attempt is made to read or write a local file, PHP checks whether file ownership of the script is the same as that of the target file. If the owner differs, the operation is prohibited.


Write Permission Although Safe Mode implements measures to prevent you from opening another user's files through PHP, the operating system's file permissions may still allow read or even write access to those files at a lower level. Be aware that a user who has shell access to the web server will be able to read any files that are accessible by the web server and write to any file that has global write permission.


The following core filesystem functions are restricted by this rule:

chdir

move_uploaded_file

chgrp

parse_ini_file

chown

rmdir

copy

rename

fopen

require

highlight_file

show_source

include

symlink

link

touch

mkdir

unlink


Functions that are part of PHP extensions that also access the filesystem are similarly affected.


Loadable Modules The dl function is disabled in Safe Mode, regardless of the owner of the extension file. Extensions must be loaded into PHP at startup, using the extension directive in php.ini.


Functions that execute host programs are disabled unless they are run from the directory given in the safe_mode_exec_dir directive, which you will learn about in the next section. Even if execution is allowed, arguments to the commands are automatically passed to the escapeshellcmd function.

The following program execution functions are affected by this rule:

exec

shell_exec

passthru

system

popen

 


In addition, the backtick operator (`) is disabled.

The putenv function has no effect when run in Safe Mode, although no error is produced. Similarly, other functions that attempt to change the PHP environment, such as set_time_limit and set_include_path, are ignored.

Enabling Safe Mode

You turn Safe Mode on or off by using the safe_mode directive in php.ini. To activate Safe Mode for all users on a shared web server, you use the following directive:

safe_mode = On

As you learned in the previous section, functions that access the filesystem perform a check on the owner of the file. By default, the check is performed on the file owner's user ID, but you can relax this to check the owner's group ID (GID) instead by turning on the safe_mode_gid directive.

If you have shared library files on your system, you can use the safe_mode_include_dir directive to get a list of locations for which the UID/GID check will not be performed when an include or require statement is encountered.


Include Directories If you want to list more than one location in the safe_mode_include_dir directive, you can separate them using colons on Linux/Unix or semicolons on Windows systemsjust as you do with the include_path setting.


To allow inclusion of files in /usr/local/include/php for any user in Safe Mode, you would use the following directive:

safe_mode_include_dir = /usr/local/include/php

To provide a location from which the system can be executed, you use the safe_mode_exec_dir directive.

To allow programs in /usr/local/php-bin to be executed in Safe Mode, you would use the following directive:

safe_mode_exec_dir = /usr/local/php-bin


Executables Rather than allow execution of all programs from /usr/bin or some other system location, you should create a new directory and copy or link only selected binaries into it.


To allow setting of certain environment variables, you use the safe_mode_allowed_env_vars directive. The value given is a prefix, and by default it allows only environment variables that begin with PHP_ to be changed. If more than one value is given, the list should be separated by commas.

The following directive also allows the time zone environment variable, TZ, to be changed:

safe_mode_allowed_env_vars = PHP_,TZ


views 68546
  1. Add New Comment