SteveW Posted October 13, 2007 Posted October 13, 2007 Hello, everyone. I'm trying to work out what changes my site will need if I transfer it to TCH. It looked like "not many changes" until I started reviewing my PHP settings. Much of this post is just to determine if my proposed changes are correct... I'm currently on a server running suPHP. That probably reveals (but not to me!) whether PHP is "running as CGI or Apache module", but the end result is that currently I do have my own php.ini file, which uses the following settings, which are as secure as I could make them while still allowing SMF Forum 1.1.4 to run properly. (Some settings omitted here for security): allow_url_fopen = Off disable_functions = exec,shell_exec, ... and a dozen more display_errors = Off display_startup_errors = Off error_log = /home/userID/{pathandfile} error_reporting = E_ALL file_uploads = On log_errors = On register_globals = Off As I understand it, TCH runs PHP in such a way that a single php.ini file serves all accounts on the server. However, the following settings can be done in .htaccess, as follows: php_flag display_errors Off php_flag display_startup_errors Off php_flag log_errors On php_flag register_globals Off php_value error_log /home/userID/{pathandfile} php_value error_reporting E_ALL That leaves the following ones, which can't be set in .htaccess: 1) allow_url_fopen = Off I consider it important for security because I get many RFI attacks. However, I did make an equivalent .htaccess workaround that might be useful for others. It denies any HTTP request where the URL query string contains "=http://" or "=ftp://" : RewriteCond %{QUERY_STRING} ^.*=(ht|f)tp\://.*$ [NC] # The following line allows your own IP to use this type of query string, when you need it. #RewriteCond %{REMOTE_ADDR} !^111\.222\.333\.444$ [NC] RewriteRule .* - [F,L] 2) On TCH servers, is the following one On, since many scripts (including SMF) require it?: file_uploads = On 3) That finally leaves this, which can only be set in the server's php.ini or httpd.conf. I don't use the functions I've disabled, but most exploit scripts DO use them, so disabling them is desirable: disable_functions = exec,shell_exec, and a dozen more Can anyone think of a way to make this possible? Somewhere on this forum I encountered the following phrase: "a separate PHP.INI in every directory to override the default". Is that a usable option? If I did put my own php.ini in every directory, would the system use it? Quote
TCH-James Posted October 15, 2007 Posted October 15, 2007 Steve, The custom php.ini file does not work as this is normally used in a phpsuexec environment. You can try the following alternate flag option in .htaccess: php_admin_flag allow_url_fopen off File uploads are enabled on the servers, though to check the server your account is on you can open a help desk ticket and we can look into it. Lastly, for the disable functions directive, you can try using the php_admin_flag setting to see if that will make the needed change locally. Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.