> ----- Original Message ----- > From: "Roman Medina" <[EMAIL PROTECTED]> > Newsgroups: php.general > To: <[EMAIL PROTECTED]> > Sent: Saturday, August 30, 2003 1:45 AM > Subject: Hardening php.ini for an ISP environment > > > > Hi, > > I'm looking for good and complete documentation about hardening a PHP > box which is going to be used to offer hosting services. The machine > will have Apache + PHP with VirtualDomains. Assuming Apache config is > secure, which aspects would be affected for the activation of php > module?
Use php over cgi and try a sbox/suexec wrapper to create a secure environment. > I'd like a have a look to a complete php.ini checklist. I've been > doing some basic research and I found useful some tips: > - safe_mode on (solves remote execution of arbitrary code) > - open_basedir "./" (solves browsing HD' server problem) Safe_mode on makes a http fileupload for users impossible when using php as a module. So the most php based apps like gallerys, cms cant run at your environment. > - some limits like memory or CPU time used by a given php script > - disable fsockopen and pfsockopen (solves the problem in launching a > connect to remote hosts from the PHP/web server). Use a firewall or something like iptables to makes outgoing connections forbidden. Use ulimits or other job restriction to set runtime limits for the cgi processes. > Regarding last point, is there any php.ini option to disable ALL (at > the same time) PHP dangerous network commands such as fsockopen? > > Any more clues? Learn more about your given webserver. Alls these problems are not generated by php. You'll have the same problems when runing perl,python as a module becaue all these runing under the rights of the webserver user. regards Joerg -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
