限制 PHP 执行? [英] Limit PHP Execution?
问题描述
我们正在使用模板系统从头开始制作 wordpress 类型系统,并且对安全性感到疑惑.我们希望有一个 SaaS 模型,用户将与其他一些用户在同一台服务器上,但我们也希望给他们工具来修改他们自己的视图文件,这意味着 PHP 访问.我们使用 Laravel 作为框架.作为 Dreamhost 的长期用户,我知道您可以将同一台机器划分为多个环境,但不确定他们是用什么来这样做的.
We are working on making a wordpress type system from scratch with a templating system and am wondering about security. We hope to have a SaaS model where the user will be on the same server as a few other users, but we hope to also give them the tools to modify their own Views files, which means PHP access. We are using Laravel as the framework. As a long time Dreamhost user, I know you can section the same machine off into multiple environments, but not really sure what they were using to do so.
如何阻止执行诸如 eval()、系统命令之类的命令,并限制用户对 fopen 的访问(我假设这主要是通过 linux 用户权限).我想让他们直接访问 Views 文件夹并开发他们自己的解决方案,而不是强迫他们通过我,但又不会有太大的危害.如果除了单独的用户之外还有 mysql 方面的考虑,也可以随意加入.
How can I prevent the execution of commands like eval(), system commands, and limit the users access to fopen (I assume that is mostly through the linux user permissions). I would like to give them direct file access to the Views folder and to develop their own solutions instead of forcing them to go through me, but without jeopardizing too much. If there are mysql considerations beyond separate users, feel free to chime in there as well.
推荐答案
您需要保护几个层.
某些托管商错误地依赖于 PHP保护",例如 open_basedir、safe_mode(旧 PHP)、disable_functions 等.
Some of the hosters incorrectly rely on PHP "protections" like open_basedir, safe_mode (older PHPs), disable_functions etc.
即使是 PHP 也不认为它们是安全功能 - http://php.net/security-note.php
这些可以通过任何 PHP 漏洞利用来禁用,然后整个系统注定要失败,请不要这样做.
These can be disabled with any exploit for PHP and then the whole system is doomed, do not do that.
- 为每个托管站点设置单独的操作系统级别/系统用户
- 正确的权限(一个人不能查看/编辑另一个人的页面) - 还要确保子目录具有正确的权限,因为它们将是相似的
- 单独的会话文件(很多网站托管将每个 PHP 托管站点的会话文件放在同一目录中,这太糟糕了,太糟糕了!
Apache 终于有了它自己的模块 - Apache MPM-ITK.
Apache finally got it's own module for this - Apache MPM-ITK.
长话短说:想象一下,您将在机器上为用户提供一个 shell(在他自己的 uid 下) - 他无法对其他托管站点执行任何操作.
Long story short: picture this as you'd give the user a shell on the machine (under his own uid) - he can't be able to do anything to the other hosted sites.
- 不同的 uid/gid
- 系统权限
- SELinux、AppArmor 等框架
- grsecurity 如果你想成为铁杆,但系统会更难维护.
上升?
你可以获得更多的硬核.我见过的最好的是 apache(或您使用的任何东西)的共享库 - 在使用 LD_PRELOAD 启动 apache 时使用它,它实现了所有潜在的恶意系统调用,如 system()、execve() 以及基本上任何其他您认为不好的调用.
going up?
You can get more hard-core. The best I've seen is a shared-library for apache (or whatever you use) - that is used when apache is started using LD_PRELOAD and it implements all the potentially malicious system calls like system(), execve() and basically any other call that you find bad.
我还没有看到一个很好的实现(除了某些地方的自定义) - 如果我错了,请纠正我.
I haven't seen a good implementation of this out there yet (other than custom ones somewhere) - correct me if I'm wrong.
确保为此实施白名单,例如.PHP 中的 mail() 默认执行 sendmail 并且不再起作用.
Make sure to implement a white-list for this as eg. mail() in PHP executes sendmail by default and that won't work anymore.
将经典的disable_functions、open_basedir等添加到全局php.ini中,将session.save_path添加到每个vhost - 将会话放入用户目录.确保用户不分享任何内容.
Add classic disable_functions, open_basedir, etc. into global php.ini, add session.save_path to every vhost - put sessions into user directories. Make sure users don't share anything.
正确实现底层操作系统级别的分离.
Implement underlaying OS-level separation correctly.
使用 grsec 和 LD_PRELOAD lib 挂钩系统调用获得核心.
Get hardcore with grsec and LD_PRELOAD lib hooking system calls.
分离、分离、分离……很快,像 Docker 这样的系统将提供基于 LXC 的容器来在内核级别分离用户,但它还没有完全准备好生产(恕我直言).
Separation, separation, separation .. soon enough systems like Docker will provide LXC-based containers to separate users on kernel level but it's not quite production ready yet (imho).
这篇关于限制 PHP 执行?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
