nginx+php(fpm-php fastcgi)open_basedir安全设置-PHP Tutorial-php.cn

Home

Backend Development

PHP Tutorial

nginx+php(fpm-php fastcgi)open_basedir安全设置

WBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWB

Jun 23, 2016 pm 01:16 PM

实验目的

根据文章”PHP绕过open_basedir列目录的研究”通过测试不同的配置验证本文的绕过basedir的方法是否有效,从而安全配置php open_basedir的目的.
文中后面几个方法都是windwos下采用枚举的方式列出目录,linux下需要做暴力猜解的方式才可以,所以不做测试.

测试”DirectoryIterator + Glob”方式是否可以绕过open_basedir
测试webshell工具”菜刀”是否可以绕过open_basedir

实验环境

nginx + PHP 5.6.7 fastcgi模式, centos7 linux
目前配置open_basedir有三处地方php-fpm.conf,nginx fastcgi_param,php.ini
下面逐一测试

测试详细

只在php-fpm.conf中配置

php_admin_value[open_basedir]=/home/wwwroot/:/proc/:/tmp/

结果

open_basedir的目录以外不能读,不能写,不过DirectoryIterator + Glob 可以成功列出全盘文件

open_basedir : /home/wwwroot/:/proc/:/tmp/ -- DirectoryIterator + Glob --. .. .autorelabel bin boot dev etc home lib lib64 media mnt opt proc root run sbin srv sys tmp usr vagrant var

菜刀不可跨出basedir

只在nginx的fastcgi_param配置

# set php open_basedir fastcgi_param PHP_ADMIN_VALUE "open_basedir=$document_root/:/tmp/:/proc/";

这里的”$document_root”是nginx中的变量,为nginx的每个server里的root目录
比如server www.iamle.com配置的root目录为/home/wwwroot/www.iamle.com

认真读php手册有下面这段话
PHP配置值通过 php_value 或者 php_flag 设置，并且会覆盖以前的值。
请注意 disable_functions 或者 disable_classes 在 php.ini 之中定义的值不会被覆盖掉，但是会将新的设置附加在原有值的后面。使用 php_admin_value 或者 php_admin_flag 定义的值，不能被 PHP代码中的 ini_set() 覆盖。自 5.3.3 起，也可以通过 web 服务器设置PHP 的设定。也就是nignx中fastcgi_param配置php的配置php_flag用来专门设置布尔值，如on, off, 1, 0, true, false, yes, no，而php_value用来设置所有类型的值结果和上面一样open_basedir的目录以外不能读,不能写,不过DirectoryIterator + Glob 可以成功列出全盘文件

菜刀不可跨出basedir

只在php.ini配置

[HOST=www.iamle.com]open_basedir=/home/wwwroot/www.iamle.com/:/proc/:/tmp/[PATH=/home/wwwroot/www.iamle.com/]open_basedir=/home/wwwroot/www.iamle.com/:/proc/:/tmp/

意思是当HOST=www.iamle.com设置open_basedir,当PATH=/home/wwwroot/www.iamle.com/

设置open_basedir,我测试的时候2个任意设置一个都是有效的

结果和上面一样

open_basedir的目录以外不能读,不能写,不过DirectoryIterator + Glob 可以成功列出全盘文件

菜刀不可跨出basedir

个人结论

DirectoryIterator + Glob的方式可以列出php服务器上所有文件,看似没什么危害,实际上对于长期的APT绝对有帮助.

open_basedir不是想象的那么安全,说不定别人手上有甚至有能读写open_basedir的0day

个人推荐的nginx + php(fastcgi fpm-php)(lnmp) open_basedir的配置

先设置fpm-php中pool池中的总open_basedir这叫顶层设计,有个总限制,比如统一限制到/home/wwwroot/这样的web目录下再对nginx中单个server 通过 fastcgi_param PHP_ADMIN_VALUE 设置
再对php.ini设置 [HOST=XXX] [PATH=XXX]
三管齐下妈妈再也不用担心我的php open_basedir了(希望吧)
虽然很啰嗦,但是这样岂不是更放心

总而言之就是下面的结果,我就是下面这种啰嗦的配置

#在php-fpm.conf对应的pool池中行尾配置php_admin_value[open_basedir]=/home/wwwroot/:/proc/:/tmp/#在nginx fastcgi fastcgi_param配置#这里用$document_root是一种取巧的方法,也可以设置绝对路径# set php open_basedirfastcgi_param PHP_ADMIN_VALUE "open_basedir=$document_root/:/tmp/:/proc/";#在php.ini行尾配置[HOST=www.iamle.com]open_basedir=/home/wwwroot/www.iamle.com/:/proc/:/tmp/[PATH=/home/wwwroot/www.iamle.com/]open_basedir=/home/wwwroot/www.iamle.com/:/proc/:/tmp/

测试中还发现这三个地方配置的优先级如下

“php.ini” > “nginx fastcgi fastcgi_param” > “php-fpm.conf”

Statement

The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn

Working with Flash Session Data in LaravelMar 12, 2025 pm 05:08 PM

Laravel simplifies handling temporary session data using its intuitive flash methods. This is perfect for displaying brief messages, alerts, or notifications within your application. Data persists only for the subsequent request by default: $request-

cURL in PHP: How to Use the PHP cURL Extension in REST APIsMar 14, 2025 am 11:42 AM

The PHP Client URL (cURL) extension is a powerful tool for developers, enabling seamless interaction with remote servers and REST APIs. By leveraging libcurl, a well-respected multi-protocol file transfer library, PHP cURL facilitates efficient execution of various network protocols, including HTTP, HTTPS, and FTP. This extension offers granular control over HTTP requests, supports multiple concurrent operations, and provides built-in security features.

Simplified HTTP Response Mocking in Laravel TestsMar 12, 2025 pm 05:09 PM

Laravel provides concise HTTP response simulation syntax, simplifying HTTP interaction testing. This approach significantly reduces code redundancy while making your test simulation more intuitive. The basic implementation provides a variety of response type shortcuts: use Illuminate\Support\Facades\Http; Http::fake([ 'google.com' => 'Hello World', 'github.com' => ['foo' => 'bar'], 'forge.laravel.com' =>

12 Best PHP Chat Scripts on CodeCanyonMar 13, 2025 pm 12:08 PM

Do you want to provide real-time, instant solutions to your customers' most pressing problems? Live chat lets you have real-time conversations with customers and resolve their problems instantly. It allows you to provide faster service to your custom

Explain the concept of late static binding in PHP.Mar 21, 2025 pm 01:33 PM

Article discusses late static binding (LSB) in PHP, introduced in PHP 5.3, allowing runtime resolution of static method calls for more flexible inheritance.Main issue: LSB vs. traditional polymorphism; LSB's practical applications and potential perfo

PHP Logging: Best Practices for PHP Log AnalysisMar 10, 2025 pm 02:32 PM

PHP logging is essential for monitoring and debugging web applications, as well as capturing critical events, errors, and runtime behavior. It provides valuable insights into system performance, helps identify issues, and supports faster troubleshoot

HTTP Method Verification in LaravelMar 05, 2025 pm 04:14 PM

Laravel simplifies HTTP verb handling in incoming requests, streamlining diverse operation management within your applications. The method() and isMethod() methods efficiently identify and validate request types. This feature is crucial for building

Discover File Downloads in Laravel with Storage::downloadMar 06, 2025 am 02:22 AM

The Storage::download method of the Laravel framework provides a concise API for safely handling file downloads while managing abstractions of file storage. Here is an example of using Storage::download() in the example controller:

See all articles