欢迎各位兄弟 发布技术文章

这里的技术是共享的

You are here

php 安全模式

shiping1 的头像
百度 或谷歌  "php 安全模式"  "php 安全模式设置"

php安全模式详细介绍

 

php安全模式:safe_mode=on|off
启用safe_mode指令将对在共享环境中使用PHP时可能有危险的语言特性有所限制。可以将safe_mode是指为布尔值on来启用,或者设置为 off禁用。它会比较执行脚本UID(用户ID)和脚本尝试访问的文件的UID,以此作为限制机制的基础。如果UID相同,则执行脚本;否则,脚本失败。
具体地,当启用安全模式时,一些限制将生效。
1、所有输入输出函数(例如fopen()、file()和require())的适用会受到限制,只能用于与调用这些函数的脚本有相同拥有者的文件。例如,假定启用了安全模式,如果Mary拥有的脚本调用fopen(),尝试打开由Jonhn拥有的一个文件,则将失败。但是,如果Mary不仅拥有调用 fopen()的脚本,还拥有fopen()所调用的文件,就会成功。
2、如果试图通过函数popen()、system()或exec()等执行脚本,只有当脚本位于safe_mode_exec_dir配置指令指定的目录才可能。
3、HTTP验证得到进一步加强,因为验证脚本用于者的UID划入验证领域范围内。此外,当启用安全模式时,不会设置PHP_AUTH。
4、如果适用MySQL数据库服务器,链接MySQL服务器所用的用户名必须与调用mysql_connect()的文件拥有者用户名相同。
安全模式和禁用的函数
下面是启用safe_mode指令时受影响的函数、变量及配置指令的完整列表:
apache_request_headers() backticks()和反引号操作符 chdir()
chgrp()     chmode()    chown()
copy()     dbase_open()    dbmopen()
dl()     exec()     filepro()
filepro_retrieve()   filepro_rowcount()   fopen()
header()    highlight_file()   ifx_*
ingres_*    link()     mail()
max_execution_time()   mkdir()     move_uploaded_file()
mysql_*     parse_ini_file()   passthru()
pg_lo_import()    popen()     posix_mkfifo()
putenv()    rename()    zmdir()
set_time_limit()   shell_exec()    show_source()
symlink()    system()    touch()

以下是一些和安全模式相关的配置选项
safe_mode_gid=on|off
次指令会修改安全模式的行为,即从执行前验证UID改为验证组ID。例如,如果Mary和John处于相同的用户组,则Mary的脚本可以对John的文件调用fopen()。
safe_mode_include_dir=string
可以使用指令safe_mode_include_dir指示多个路径,启用安全模式时在这些路径中将忽略安全模式。例如,你可以使用此函数指定一个包含不同模板的目录,致谢模板可能会继成到一些用户网站。可以指定多个目录,在基于UNIX的系统各目录用冒号分隔,在Windows中用分号分隔。
注意,如果指定某个路径但未包含最后的斜线,则该路径下的所有目录都会忽略安全模式设置。例如,如果设置次指令为/home /configuration,表示/home/configuration/templates/和/home/configureation /passwords都排除在安全模式限制之外。因此,如果只是要排除一个目录或一组目录不受安全模式设置的限制,要确保每个目录都包括最后的斜线。
safe_mode_env_vars=string
当启用安全模式时,可以只用次指令允许执行用户的脚本修改某些环境变量。可以允许修改多个变量,每个变量之间用逗号分隔。
safe_mode_exec_dir=string
次指令指定一些目录,其中的系统程序可以通过诸如system()、exec()或passthru()等函数执行。为此必须启用安全模式。此指令有一个奇怪的地方,在所有操作系统中(包括Windows),都必须使用斜线(/)作为目录的分隔符。
safe_mode_protected_env_vars=string
此指令保护某些环境变量不能被putenv()函数修改。默认情况下,变量LD_LIBRARY_PATH是受保护的,因为如果在运行时修改这个变量可能导致不可预知的结果。关于此环境变量的更多信息,请参考搜索引擎或Linux手册。注意,本届中声明的所有便来弄个都覆盖 safe_mode_allowed_env_vars指令中声明的变量。

 

另外,由于启用了安全模式后,由于会对比文件的拥有者和文件的执行者是否是一个人,所以会减慢执行效率。

 

转自:http://hi.baidu.com/sjow001/blog/item/07f14997a2058e45d0135e7d.html

来自 http://www.cnblogs.com/samson/archive/2011/08/08/2130550.html


安全模式

Table of Contents

PHP 的安全模式是为了试图解决共享服务器(shared-server)安全问题而设立的。在结构上,试图在 PHP 层上解决这个问题是不合理的,但修改 web 服务器层和操作系统层显得非常不现实。因此许多人,特别是 ISP,目前使用安全模式。

Warning

本特性已自 PHP 5.3.0 起废弃并将自 PHP 5.4.0 起移除

 

Changelog for safe mode
版本说明
5.4.0Removed from PHP, and generates a fatal E_CORE_ERROR level error when enabled.
5.3.0Deprecated, and E_DEPRECATED errors were added.
add a note add a note

User Contributed Notes 13 notes

jo at durchholz dot org ¶
9 years ago
Note that safe mode is largely useless. Most ISPs that offer Perl also offer other scripting languages (mostly Perl), and these other languages don't have the equivalent of PHP.
In other words, if PHP's safe mode won't allow vandals into your web presence, they will simply use Perl.
Also, safe mode prevents scripts from creating and using directories (because they will be owned by the WWW server, not by the user who uploaded the PHP script). So it's not only useless, it's also a hindrance.
The only realistic option is to bugger the Apache folks until they run all scripts as the user who's responsible for a given virtualhost or directory.
martin at example dot com ¶
9 years ago
On the note of php security 

have a look at: http://www.suphp.org/Home.html

suPHP is a tool for executing PHP scripts with the permissions of their owners. It consists of an Apache module (mod_suphp) and a setuid root binary (suphp) that is called by the Apache module to change the uid of the process executing the PHP interpreter.
info at phpcoding dot net ¶
12 years ago
readfile() seems not always to take care of the safe_mode setting.
When the file you want to read with readfile() resides in the same directory as the script itself, it doesn`t matter who the owner of the file is, readfile() will work.
zebz at ihaveenoughspam_hotmail dot com ¶
13 years ago
All the filesystem-related functions (unlink, fopen, unlink, etc) seems to be restricted the same way in safe mode, at least on PHP 4.2. If the file UID is different *but* the directory (where the file is located) UID is the same, it will work.

So creating a directory in safe mode is usually a bad idea since the UID will be different from the script (it will be the apache UID) so it won't be possible to do anything with the files created on this directory.
Russ ¶
10 years ago
Sometimes you're stuck on a system you don't run and you can't control the setting of safe mode.  If your script needs to run on different hosts (some with safe mode, some without it), you can code around it with something like:

<?php 
// Check for safe mode
if( ini_get('safe_mode') ){
    
// Do it the safe mode way
}else{
    
// Do it the regular way
}

?>
gtg782a at mail dot gatech dot edu ¶
12 years ago
zebz: The user would not be able to create a directory outside the namespace where he/she would be able to modify its contents. One can't create a directory that becomes apache-owned unless one owns the parent directory.

Another security risk: since files created by apache are owned by apache, a user could call the fputs function and output PHP code to a newly-created file with a .php extension, thus creating an apache-owned PHP script on the server. Executing that apache-owned script would allow the script to work with files in the apache user's namespace, such as logs. A solution would be to force PHP-created files to be owned by the same owner/group as the script that created them. Using open_basedir would be a likely workaround to prevent ascension into uncontrolled areas.
devik at cdi dot cz ¶
13 years ago
Just to note, I created patch which allows VirtualHost to set User under which all (PHP too) runs. It is more secure than safe_mode. See luxik.cdi.cz/~devik/apache/ if you are interested
jedi at tstonramp dot com ¶
13 years ago
Many filesystem-related functions are not appropriately restricted when Safe Mode is activated on an NT server it seems.  I would assume that this is due to the filesystem not making use of UID. 

In all of my scripts, no matter WHO owns the script (file Ownership-wise) or WHO owns the directory/file in question; both UIDs display 

(getmyuid() and fileowner()) as UID = 0 

This has the rather nasty side effect of Safe Mode allowing multiple filesystem operations because it believes the script owner and file/dir owner are one and the same. 

While this can be worked around by the judicious application of proper filesystem privileges, it's still a "dud" that many of Safe Mode's securities are simply not there with an NT implementation.
bertrand dot gorge at epistema dot com ¶
10 years ago
Beware that when in safe mode, mkdir creates folders with apache's UID, though the files you create in them are of your script's UID (usually the same as your FTP uid).

What this means is that if you create a folder, you won't be able to remove it, nor to remove any of the files you've created in it (because those operations require the UID to be the same).

Ideally mkdir should create the folder with the script's UID, but this has already been discussed and will not be fixed in the near future. 

In the meantime, I would advice NOT to user mkdir in safe mode, as you may end up with folders you can't remove/use.
Anonymous ¶
8 years ago
Each IIS server in Windows runs as a User so it does have a UID file ACLs can be applied via a Group (GID) or User.  The trick is to configure each website to run as a distinct user instead of the default of System.
Anonymous ¶
10 years ago
To separate distinct open_basedir use : instead of on , or ; on unix machines.
plyrvt at mail dot ru ¶
10 years ago
[In reply to jedi at tstonramp dot com]
Safe mode is used "since the alternatives at the web server and OS levels aren't very realistic". Manual says about UNIX OS level and UNIX web-servers by design (Apache). It's not realistic for unix-like server, but for NT (IIS) each virtual host can run from different user account, so there is no need in Safe Mode restrictions at all, if proper NTFS rights are set.
daniel dot gaddis at tlc dot state dot tx dot us ¶
11 years ago
on windows if multiple directories are wanted for safe_mode_exec_dir and open_basedir be sure to separate the paths with a semi colon and double quote the whole path string. For example:

safe_mode = On
safe_mode_exec_dir = "F:\WWW\HTML;F:\batfiles\batch"
open_basedir = "F:\WWW\HTML;F:\batfiles\batch"
来自 http://php.net/manual/zh/features.safe-mode.php
普通分类: