PHP Security on Server

Am setting up a VPS for one of my clients, and wondering about “security” and “PHP”…

I know that for MySQL, the manual gives lots of tips on things to do to make things more secure. For example, MySQL recommends that you never run mysqld as the Linux Root user.

Does a similar concept exist for PHP?

In addition, are there any other obvious things that need to be modified on the server to make sure that PHP is running securely?

I guess I never really thought about any of this as a developer until now!

Thanks.

What user PHP is running as is important. FastCGI allows you run each website under a different user, which obviously is beneficial on shared hosts as Apache/PHP must have access to user1 and user2’s files in order to serve them… so in this set up if httpd is running as a single user then user1 can access user2’s files via PHP.

This is on a VPS - not shared hosting…

The most important things that spring to mind:

  1. Don’t run PHP as root, that’s just a Bad Idea ™
  2. Make sure display_errors is off
  3. Set error_reporting to a reasonable level (the level suggested in php.ini for production is fine)
  4. Make sure register_globals is off
  5. Make sure safe_mode is off (it sucks anyway)
  6. Never allow uploads to a directory that is publicly available (via HTTP or otherwise)
  7. Never allow uploaded files to be executed in any way
  8. Make sure you filter all input and escape all output
  9. Use prepared queries for databases, forget about mysqli_real_escape string and similar
  10. Install SuHosin https://suhosin.org/stories/index.html
2 Likes

Can you help me understand what that means?

Do you mean, “Don’t run PHP on a Linux-Root account.”??

Or do you mean, “Don’t run as PHP-Root on a Linux server.”??

Should I log errors, and if so, where should they go on my VPS? (Maybe outside of Web Root but still in my VPS’s Home Directory?

What are the levels?

Check.

Okay.

You got me on this one!

My website allows people to upload thumbnails similar to SitePoint, and I have a directory called “uploads” in my Web Root.

Now, I stand behind my “upload.php” script 110% as far as security goes, but am I still doomed?

To make such a change now would be an enormous amount of work and require the rewriting of a couple thousand lines of code… :frowning:

How do I do that?

Check.

Check.

That’s new to me!

Thanks for all of the tips! :thumbsup:

  1. Yes, I mean Don’t run PHP on a Linux-Root account.

  2. Yes, log them to a file in /var/log/php somewhere

  3. Here ya go: http://php.net/manual/en/errorfunc.constants.php

  4. Mostly depends on whether you are the only one uploading or if others can upload as well. If others can upload I would definitely spends some time here to make sure it’s air tight. Check the file that it doesn’t contain PHP (not just by checking the extension, but by checking the mime type as well), open uploaded images and save them again with GD to make sure any and all crap that was in the file is stripped, etc

  5. Same points as above in 6 basically

Okay, gotcha.

BTW, is there such a thing as “PHP Root”? In other words, does PHP have user-types?

For example, MySQL has user-types, and there you would not only not want to run MySQL under Linux-Root, but you would also want to make sure that scripts connecting to the database always connect using a non MySQL-Root user.

Since I don’t have Root access on my VPS, I don’t think I could get to that location.

Could I instead log things to somewhere in my Home Directory, but yet outside of the Web Root?

Thanks.

Yeah, well my upload script is like 1,500 lines long and does about 15 checks. In fact, I don’t think there is any physical way to check any more than I have, because I have exhausted every PHP option in the Manual there is!!

In an ideal world I would have made it so people uploaded outside of the Web Root, but back when I wrote my upload script, I didn’t really know much about doing things outside of the Web Root.

That being said, for my next version, I will try and make those changes.

In the mean time, could you help me better understand how that would work?

Let’s say you created a profile on my client’s website and wanted to upload your picture/thumbnail. And my upload script still did all of its checks but this time saved it to the “outside_of_web-root” directory.

How would my web pages and scripts inside the Web Root access your newly uploaded picture outside of teh Web Root?

Thanks!

No, there is no such thing in PHP.

Sure, that’s a good alternative :smile:

Via a PHP script in the your webroot that opens and streams the image to the user. There are pros and cons here, and it’s a very complicated and exhausive topic that deserves its own topic where multiple people can chime in (hint hint ;))

Oh, okay, I can do that! :wink:

Thanks for the help making my PHP installation more secure!

(I may be back with other questions, but think I’m good for now!)

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.