RE: [PHP] PHP security in a hosting environment
My suggestion would be to run the PHP Web Server on a different server to where you are retrieving your files. The file server can then define its own polices of what you can read/write to etc. Your web server can then map a drive to the file server, and anybody writing PHP scripts won't be able to modify read-only scripts. Hope that's clear! Richard -Original Message- From: Ben Joyce [mailto:[EMAIL PROTECTED] Sent: 07 April 2004 11:30 To: [EMAIL PROTECTED] Subject: [PHP] PHP security in a hosting environment hi. one of my clients whom we host a website for has expressed interest in writing their own php/mySQL applications for their site. i've been looking in to the security implications of offering this service. My concerns are that the client *could* use a php script to access parts of the file system, registry (this is a Win32 environment), or other such things. I found a good article at http://www.securityfocus.com/infocus/1706 - it details some of the settings in the php config that can be used to prevent malicious scripting. Does anyone here have experience of securing a php server, and might have any advice on what else to watch out for? Any help appreciated. Thanks. Ben -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php == This message is for the sole use of the intended recipient. If you received this message in error please delete it and notify us. If this message was misdirected, CSFB does not waive any confidentiality or privilege. CSFB retains and monitors electronic communications sent through its network. Instructions transmitted over this system are not binding on CSFB until they are confirmed by us. Message transmission is not guaranteed to be secure. == -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP security in a hosting environment
Ben Joyce wrote: hi. one of my clients whom we host a website for has expressed interest in writing their own php/mySQL applications for their site. i've been looking in to the security implications of offering this service. My concerns are that the client *could* use a php script to access parts of the file system, registry (this is a Win32 environment), or other such things. If you are really concerned about security you should not be in a shared hosting enviorenment. Seconly you may want to switch to a more secure operating system. -- Raditha Dissanayake. - http://www.radinks.com/print/upload.php SFTP, FTP and HTTP File Upload solutions -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP security in a hosting environment
From: Ben Joyce [EMAIL PROTECTED] one of my clients whom we host a website for has expressed interest in writing their own php/mySQL applications for their site. i've been looking in to the security implications of offering this service. My concerns are that the client *could* use a php script to access parts of the file system, registry (this is a Win32 environment), or other such things. What web server are you going to use? Either way, PHP runs as a specific user (IUSR_computer_name with IIS, for example). This user shouldn't be able to access anything in the filesystem except what's in the webroot (ensure this is true for your machine). This assumes an NTFS filesystem, btw. In order to protect things under the webroot, that's where safe_mode, openbasedir, etc, come into play as explained in the article you linked to. You're right to be concerned, but it can be done safely. In addition to all of the above, get something IN WRITING stipulating what the user is allowed to do, terms of service, etc. That way if you catch them doing something, you'll be safe legally to go after them. IANAL ---John Holmes... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP security in a hosting environment
--- Ben Joyce [EMAIL PROTECTED] wrote: one of my clients whom we host a website for has expressed interest in writing their own php/mySQL applications for their site. i've been looking in to the security implications of offering this service. How are you not offering it now? Can the client not write CGI scripts, PHP, or anything like that now? So, only static content? My concerns are that the client *could* use a php script to access parts of the file system, registry (this is a Win32 environment), or other such things. Not to be cute, but Windows isn't fundamentally a multi-user operating system. I doubt offering PHP services is going to affect your server security more than your choice of operating system already has. You can restrict what PHP can do with things like safe_mode, but it is very important to realize that this only affects scripts written in PHP. It doesn't protect your environment; it only takes PHP out of the picture. Security Corner is the latest issue of php|architect (http://www.phparch.com/issue.php?mid=26) discusses the issue of shared hosting in more detail. Hope that helps. Chris = Chris Shiflett - http://shiflett.org/ PHP Security - O'Reilly Coming Fall 2004 HTTP Developer's Handbook - Sams http://httphandbook.org/ PHP Community Site http://phpcommunity.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
