Php Security

If you are having trouble with PHP commands like backticks (``), system(), exec(), passthru(), and others that spawn external commands, or are having trouble with errors like:



Then you're running PHP as an Apache module and you've written a script that doesn't quite conform to our security standards.

We implement strict security for PHP scripts run by Apache, because otherwise, none of our users would be able to sufficiently secure sensitive information (like Database passwords)!

If PHP is running as part of Apache, it runs as Apache's user and group. This differs from CGI scripts, which, because they run as a separate process outside Apache, run as the owner's user and group.

To protect your PHP scripts, we've disallowed all PHP functions that would let one user possibly open another user's script (and see sensitive stuff like passwords). Our restrictions work in two parts:

1: OPEN_BASEDIR RESTRICTIONS

open_basedir restrictions prevent any of PHP's file opening commands from working on any files outside of /home/youruser. Files BELOW that directory WILL WORK:

/home/youruser/phpstuff/some/more/dirs/file.info IS OK! PHP CAN OPEN IT!

If you need to open files in another user's home directory (assuming both are under you account, of course!) contact TS and they will happily make an exception for you.

NOTE: There have been some strange bugs that appeared with respect to open_basedir. Sometimes files that ARE in your home directory trigger an open_basedir error when they really shouln't. Notify support when this happens.

2: DISABLED EXECUTION FUNCTIONS

We have disabled the backticks operator (``), system(), exec(), passthru(), and dl() because all of these functions could be used to run naughty external processes as Apache's user.

If you need to use these functions, we have provided a second PHP system, PHP-CGI, which runs all your PHP scripts as if they were CGI's, so they run as your user and group. There are no restrictions on these scripts (not even open_basedir restrictions).

Here's how to switch to running PHP-CGI.

If you're using sessions, you'll have to delete your cookie and get a new one. Once the script is running as YOUR user, the session files Apache created in /tmp won't be readable (since your user can't read /tmp files created by Apache's user). If you delete your cookie and start a new session and all is well!