章 25. 以 Apache 模块安装时

当 PHP 以 Apache 模块方式安装时,它将继承 Apache 用户(通常为“nobody”)的权限。这对安全和认证有一些影响。比如,如果用 PHP 来访问数据库,除非数据库有自己的访问控制,否则就要使“nobody”用户可以访问数据库。这意味着恶意的脚本在不用提供用户名和密码时就可能访问和修改数据库。一个 web Spider 也完全有可能偶然发现数据库的管理页面,并且删除所有的数据库。可以通过 Apache 认证来避免此问题,或者用 LDAP、.htaccess 等技术来设计自己的防问模型,并把这些代码作为 PHP 脚本的一部份。

通常,一但安全性达到可以使 PHP 用户(这里也就是 Apache 用户)承担的风险极小的程度时候,可能 PHP 已经到了阻止向用户目录写入任何文件或禁止访问和修改数据库的地步了。这就是说,无论是正常的文件还是非正常的文件,无论是正常的数据库事务来是恶意的请求,都会被拒之门外。

一个常犯的对安全性不利的错误就是让 Apache 拥有 root 权限,或者通过其它途径斌予 Apache 更强大的功能。

把 Apache 用户的权限提升为 root 是极度危险的做法,而且可能会危及到整个系统的安全。所以除非是安全专家,否则决不要考虑使用 su,chroot 或者以 root 权限运行。

除此之外还有一些比较简单的解决方案。比如说可以使用 open_basedir 来限制哪些目录可以被 PHP 使用。也可以设置 Apache 的专属区域,从而把所有的 web 活动都限制到非用户和非系统文件之中。


add a note add a note User Contributed Notes
Kibab
30-Sep-2005 09:56
I'm running Windows version of Apache with php as module. System is Windows XP Service Pack 2 on NTFS filesystem. To avoid potential security problems, I've set Apache to run under NT AUTHORITY\Network Service account, and there is only one directory, named Content, with Full Access for this account. Other directories are either not accessible at all or with readonly permissions (like %systemroot%)... So, even if Apache will be broken, nothing would happen to entire system, because that account doesn't have admin privilegies :)
tifkap
02-Mar-2004 07:21
There is a safe way to support a lot of users in a secure way, without having to use CGI, in a way which is probebly faster
than mod_php.

Use FastCGI, with the SuExecWrapper set to your suid wrapper. It means every user wil get his own program-group, with processes
which are being reused. If the numer of processes that is being
started on startup is 0, then the processgroup for a user will be generated when needed.

This means: The first page is slow, after that the Zend Engine  caching kicks in. When the load on the virtualhost reduces, the
processes wil die off, and extra processes for a user-process-group
will only be started when (again) needed.

Your apache will be a LOT! lichter, because it won't have to drag all
the php-memory overhead with it. This means static content is
faster, and the whole system uses less memory.
The PHP itself also won't need to drag along the apache overhead.

If for one reason or the other php craches, your apache will simple
start some new php-processes. If you want to upgrade/patch php,
you can simple create the new fastcgi binary, and after testing, you can simple update the system by copying it, and maybe doing a
'apachectl gracefull'

In short :  Sepparating distinct functions in different processes
               communicating useing IPC methodes can be very good
               for performance and security. The best example of this
               principle at work is Postfix, where every process runs
               chroot() under its own uid.

http://wiki.openisis.org/i/view/Php/HowtoFastCgi
Georgee at CWC
30-Apr-2003 09:16
Additional CAUTION to anyone trying Pollux's solution:
It's kind a good. Probably works right. I think I'll give it a try myself. BUT...
its safe ONLY on the assumption that apache is 100% CLEAN. (codes and confs.) Any flaws on apache, almost ANYTHING could happen to ALL users -precisely, web users. (Because apache is a member of ALL -again, web user's- GID.) So, leeps's hint should be one of the important things.

There is nothing close to perfect. What I wrote is just one thing you'll have to keep in mind. So, consider carefully BEFORE you try this solution. (Well, this applies to any other solutions though...)
leeps
10-Mar-2003 09:59
@pollux: additionally, tell your users to set their file-permissions to
- r-- (group) for files
- --x (group) for directories.

this disables the webserver to browse user's directory. if you don't know the filename, you cannot open it, e.g. by running malicious php-code through one of the users scripts.
daniel dot eckl at gmx dot de
08-Aug-2002 07:16
There is a better solution than starting every virtual host in a seperate instance, which is wasting ressources.

You can set open_basedir dynamically for every virtual host you have, so every PHP script on a virtual host is jailed to its document root.

Example:
<VirtualHost www.example.com>
  ServerName www.example.com
  DocumentRoot /www-home/example.com
[...]
  <Location />
   php_admin_value open_basedir    \ "/www-home/example.com/:/usr/lib/php/"
  </Location>
</VirtualHost>

If you set safe_mode on, then the script can only use binaries in given directories (make a special dir only with the binaries your customers may use).

Now no user of a virtual host can read/write/modify the data of another user on your machine.

Windseeker