On Tue, 2005-07-26 at 21:02 -0700, Gregory S. Youngblood wrote: > I do not use PHP normally, but I use a couple of programs that do, > such as squirrelmail. I am aware of several remote code execution > vulnerabilities in some PHP versions. I am also aware that in many > cases, these vulnerabilities require an unsecure configuration option > in either the PHP install, or the software written to use PHP. > > I was wondering if the PHP installed with Trustix (2.1, 2.2, 3.0) has > been checked, so that the default options set in the trustix php > package(s) are as secure as possible from the beginning. If not, what > should I change to lock things down appropriately?
Yes, in general the defaults are secure. In php.ini it is advisable to; Turn safe mode on and set the exec_dir (effectively a chroot for PHP binaries) safe_mode_exec_dir = (path of allowed PHP execution) safe_mode = On Turn off register_globals & allow_url_fopen (which are by default anyway > PHP 4.2.0) also enable_d1 = Off (which turns off Dynamic module loading) expose_php = Off (which stop the display of PHP information through easter eggs) Turn on logging options.. check php.net for error_reporting and log_errors (n.b. you can also stop errors from being displayed to the webpage and leaking potentially sensitive information by using display_errors = Off and display_startup_errors = Off - don't use these while in development/debugging phases though!) plus maybe disable_functions = openlog (malicious program may allow Apache error messages appear in the system log as a different user) and if your scripts don't need them, disable_functions = openlog, apache_child_terminate, apache_get_modules, apache_get_version, apache_getenv, apache_note, apace_getenv, virtual plus you may be able to add exec and passthrough to that.. You can also restrict filestsem access using the following function.. open_basedir = /home/httpd/html Finally, another thing to remember is to try and prevent DOS type of attacks by restricting memory usage. Check out memory_limit - post_max_size - max_input_time - max_execution_time > > [I'm going to Google next, but thought I might get a more thorough > response from this list.] Hope this was enough to get you going... I think I'll add this as a Wiki topic and expand on it, together with some Apache hardening tips.. If any one has any more comments please add them! > > Thanks, > Greg > > Joel ;) _______________________________________________ tsl-discuss mailing list [email protected] http://lists.trustix.org/mailman/listinfo/tsl-discuss
