Re: [PHP] Apache Directives for php as module

[Jason Wong]

On Thursday 27 June 2002 02:49, Jason G Trusty wrote:
 Hello,

 I read the support pages at php.net regarding php.ini. Am I correct in the
 assumption that so long as you have php compiled as a module for apache
 that you can than use apache style directives to override the default
 php.ini?

If php is compiled as an Apache module then yes you can use apache style 
directives to override the default php.ini.

 Furthmore, are these override directives allowed in a vhost container?
 Given the example vhost container (taken from my existing server setup):

 VirtualHost 127.0.0.1:80
   ServerAdmin [EMAIL PROTECTED]
   ServerName www.example.com
   ServerAlias *.example.com

   php_value open_basedir = e:\www\htdocs

I don't think you need the '=' sign. In fact apache (1.3.26) wouldn't start if 
you have the '='.

 Would the additional directive I have added (php_value open_basedir =
 e:\www\htdocs) restrict php from executing any code, scripts and/or
 fuctions from being executed for this virtual host only by limiting it to
 the vhosts home directory

For open_basedir it's slightly different:

php_admin_value open_basedir = e:\www\htdocs

Not sure whereabouts in the manual php_value VS php_admin_value is documented 
but there is an example in the chapter Safe Mode.

 I am obviously running apache/php/mysql in a Windows environment and I am
 worried about security. Currently (using php) I can execute/issue any
 command or function of my choosing with no restrictions whatsoever. For
 example: I can create/delete directories, files etc  This is obviously
 not a secure environment for virtual hosting.

If you're concerned about security then just specifying open_basedir is NOT 
enough. For instance, on Linux at least, one can easily circumvent it by 
running system commands eg:

exec('cat /etc/passwd');
echo `cat /etc/passwd`;

Thus you should always define 'safe_mode_exec_dir' as well.

-- 
Jason Wong - Gremlins Associates - www.gremlins.com.hk
Open Source Software Systems Integrators
* Web Design  Hosting * Internet  Intranet Applications Development *

/*
... this must be what it's like to be a COLLEGE GRADUATE!!
*/


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] Apache Directives for php as module

[Jason G Trusty]

Hello,

I read the support pages at php.net regarding php.ini. Am I correct in the
assumption that so long as you have php compiled as a module for apache that
you can than use apache style directives to override the default php.ini?

Furthmore, are these override directives allowed in a vhost container? Given
the example vhost container (taken from my existing server setup):

VirtualHost 127.0.0.1:80
  ServerAdmin [EMAIL PROTECTED]
  ServerName www.example.com
  ServerAlias *.example.com

  php_value open_basedir = e:\www\htdocs

  DocumentRoot E:/www/htdocs

  Directory E:/www/htdocs
Options IncludesNoExec MultiViews
AllowOverride All
Order allow,deny
Allow from all
  /Directory

  Alias /logs/ c:/Apache2/logs/www/

  Directory c:/Apache2/logs/www/
Options Indexes MultiViews
AllowOverride None
Order allow,deny
Allow from all
  /Directory

  ErrorLog c:/apache2/logs/www/error.log
  CustomLog c:/apache2/logs/www/access.log common
  TransferLog c:/apache2/logs/www/access.log
/VirtualHost

Would the additional directive I have added (php_value open_basedir =
e:\www\htdocs) restrict php from executing any code, scripts and/or
fuctions from being executed for this virtual host only by limiting it to
the vhosts home directory?

I am obviously running apache/php/mysql in a Windows environment and I am
worried about security. Currently (using php) I can execute/issue any
command or function of my choosing with no restrictions whatsoever. For
example: I can create/delete directories, files etc  This is obviously
not a secure environment for virtual hosting.

Any help concerning this matter would be appreciated.

Cheers,
JTrusty


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php