php-windows Digest 21 Jul 2005 17:15:34 -0000 Issue 2733
Topics (messages 26216 through 26218):
Secure setup of PHP5 on XP using IIS5.1 and MySQL
26216 by: Luke Maslany
26217 by: Luke Maslany
My variable is not working when I echo it....
26218 by: Afolabi Richard
Administrivia:
To subscribe to the digest, e-mail:
[EMAIL PROTECTED]
To unsubscribe from the digest, e-mail:
[EMAIL PROTECTED]
To post to the list, e-mail:
[email protected]
----------------------------------------------------------------------
--- Begin Message ---
Hello all,
I'm trying to ascertain the best way to securely configure PHP5 (the
no-installer version) on Windows XP (with SP2) for use with IIS and
MySQL.
Does anyone have a list of the least NTFS privileges needed for the PHP
install when used with IIS?
At present I have created two additional partitions, one for the
programs
the other for data.
PHP Setup
-----------------
On the 'programs' partition, which I will call P: for now, I remove the
default NTFS permissions and replace them with Administrators:Full and
SYSTEM:Full. I allow propagation of these permissions to child files
and
folders.
I then copy the no-installer version to P: to create P:\PHP
As recommended I have added the P:\PHP path to the Path system variable.
In addition to the inherited permissions I explicitly allow the IIS
security
context read permissions to P:\PHP and its children. In the default
case
this would be %machinename%\IUSR_%machinename%. I confess I was hoping
to
save myself some time by asking if any of you has a list of the required
permissions needed on the PHP folder. Is it safe enough to allow IIS
read-access to all of the PHP contents? (I'm wondering about the
php.ini
file in particular)
On the 'data' partition, which I will call D: for now, I remove the
default
NTFS permissions and replace them with Administrators:Full and
SYSTEM:Full.
I allow propagation of these permissions to child files and folders.
I then create a root folder to be the root of my website D:\WEBROOT. In
addition to the inherited permissions I explicitly allow the IIS
security
context read permissions to D:\WEBROOT and it's children. In the
default
case this would be %machinename%\IUSR_%machinename%.
My conjecture: as the PHP ISAPI extension is running under the IIS
security
context it means that the PHP engine has read access to these files. If
this is wrong *please* let me know!!
MySQL Setup
---------------------
I copy the no-installer version of MySQL to P: to create P:\MySQL
I create a new local user account to run the MySQL Service. I remove
the
default group membership and allow the account to run as a service. If
anyone has any best-practice information regarding the creation and use
of
service accounts I'd be grateful if you could send me a link or the
info.
In addition to the inherited permissions I explicitly allow the MySQL
Service account read permissions to P:\MySQL and its children.
I then create a MySQL data folder D:\MySQL. In addition to the inherited
permissions I explicitly allow the MySQL Service account modify
permissions to D:\MySQL and its children.
I create a my.ini file for MySQL and place it in the %WinDir% folder
allowing the MySQL Service account read access.
------------------------------------------------------------
[mysqld]
# set basedir to your installation path
basedir=P:\\mysql
# set datadir to the location of your data directory
datadir=D:\\mysql\\data
------------------------------------------------------------
I copy the P:\MySQL\Data folder to D:\MySQL to create D:\MySQL\Data.
The
folder inherits the permissions of the parent.
I then run the MySQL Server with switches to install it as a service.
As
soon as the service is installed I change the security context of the
service to use the MySQL Service account created earlier. I then start
the
service.
I immediately use the command line client to change the root password
and
remove anonymous access, flushing the priveledges afterwards.
My conjecture: the above ensures that if the MySQL service account is
compromised it only has access to the MySQL folders on P: and D:
I also assume that the MySQL files do not need to be readable by the IIS
security context. Once again; If this is wrong *please* let me know!!
Can anyone confirm how the PHP engine talks to the MySQL instance
through
IIS? Does this make the PHPISAPI.dll a MySQL client talking to the
MySQL
interfaces, either through pipes (I'm not 100% convinced I know how
these
work; any guidance would be appreciated) or through a loop-back using
the
TCP 3306 port? In either case I assume that any host-based firewall
would
not need to allow traffic from outside the localhost.
Many thanks to those of you that took the time to read through all of
this.
I will greatly appreciate feedback as to how successful this would be in
securing an install of PHP and MySQL on IIS 5.1. If you have any
comments
or suggestions as to how this more secure or to simply correct an
erroneous
assumption on may part; give me a reply.
lamaslany
--- End Message ---
--- Begin Message ---
!! My apologies; the second post was supposed to be this one with
revised line breaks !!
Hello all,
I'm trying to ascertain the best way to securely configure PHP5 (the
no-installer version) on Windows XP (with SP2) for use with IIS and
MySQL.
Does anyone have a list of the least NTFS privileges needed for the PHP
install when used with IIS?
At present I have created two additional partitions, one for the
programs the other for data.
PHP Setup
-----------------
On the 'programs' partition, which I will call P: for now, I remove the
default NTFS permissions and replace them with Administrators:Full and
SYSTEM:Full. I allow propagation of these permissions to child files
and folders.
I then copy the no-installer version to P: to create P:\PHP
As recommended I have added the P:\PHP path to the Path system variable.
In addition to the inherited permissions I explicitly allow the IIS
security context read permissions to P:\PHP and its children. In the
default case this would be %machinename%\IUSR_%machinename%. I confess
I was hoping to save myself some time by asking if any of you has a list
of the required permissions needed on the PHP folder. Is it safe enough
to allow IIS read-access to all of the PHP contents? (I'm wondering
about the php.ini file in particular)
On the 'data' partition, which I will call D: for now, I remove the
default NTFS permissions and replace them with Administrators:Full and
SYSTEM:Full. I allow propagation of these permissions to child files and
folders.
I then create a root folder to be the root of my website D:\WEBROOT. In
addition to the inherited permissions I explicitly allow the IIS
security context read permissions to D:\WEBROOT and it's children. In
the default case this would be %machinename%\IUSR_%machinename%.
My conjecture: as the PHP ISAPI extension is running under the IIS
security context it means that the PHP engine has read access to these
files. If this is wrong *please* let me know!!
MySQL Setup
---------------------
I copy the no-installer version of MySQL to P: to create P:\MySQL
I create a new local user account to run the MySQL Service. I remove
the default group membership and allow the account to run as a service.
If anyone has any best-practice information regarding the creation and
use of service accounts I'd be grateful if you could send me a link or
the info.
In addition to the inherited permissions I explicitly allow the MySQL
Service account read permissions to P:\MySQL and its children.
I then create a MySQL data folder D:\MySQL. In addition to the inherited
permissions I explicitly allow the MySQL Service account modify
permissions to D:\MySQL and its children.
I create a my.ini file for MySQL and place it in the %WinDir% folder
allowing the MySQL Service account read access.
------------------------------------------------------------
[mysqld]
# set basedir to your installation path
basedir=P:\\mysql
# set datadir to the location of your data directory
datadir=D:\\mysql\\data
------------------------------------------------------------
I copy the P:\MySQL\Data folder to D:\MySQL to create D:\MySQL\Data.
The folder inherits the permissions of the parent.
I then run the MySQL Server with switches to install it as a service.
As soon as the service is installed I change the security context of the
service to use the MySQL Service account created earlier. I then start
the service.
I immediately use the command line client to change the root password
and remove anonymous access, flushing the privileges afterwards.
My conjecture: the above ensures that if the MySQL service account is
compromised it only has access to the MySQL folders on P: and D:
I also assume that the MySQL files do not need to be readable by the IIS
security context. Once again; If this is wrong *please* let me know!!
Can anyone confirm how the PHP engine talks to the MySQL instance
through IIS? Does this make the PHPISAPI.dll a MySQL client talking to
the MySQL
interfaces, either through pipes (I'm not 100% convinced I know how
these work; any guidance would be appreciated) or through a loop-back
using the
TCP 3306 port? In either case I assume that any host-based firewall
would not need to allow traffic from outside the localhost.
Many thanks to those of you that took the time to read through all of
this. I will greatly appreciate feedback as to how successful this would
be in
securing an install of PHP and MySQL on IIS 5.1. If you have any
comments or suggestions as to how this more secure or to simply correct
an erroneous
assumption on may part; give me a reply.
lamaslany
--- End Message ---
--- Begin Message ---
I am a fascinated PHP newbie who need help.
I an using WAMP5 version 1.1 - for Windows Apache MySql and PHP.
I want to use the short variable $variable instead of the $_POST[variable] but
the $variable is not working when I echo it. I configured "global_register =
On" in my PHP.ini, still the short $variable is not working when I echo it.
Is there something else I need to do or configure.
Thanks
-----------------------------------------------------------------------------------------------------------
AFOLABI, O. Richard (0803 284 8974)
Executive Director
InfoTech Corps, Katsina State, Nigeria.
[EMAIL PROTECTED]
http://projects.takingitglobal.org/infoTech
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
--- End Message ---
