Monday, November 23, 2009

Secure PHP Pages with SUPHP

SkyHi @ Monday, November 23, 2009
Creating secure websites with PHP requires attention to detail and some understanding of the possible risks. SUPHP is one tool to make it easier for Web developers on ITC-managed systems to secure their sites.

For PHP applications to access MySQL databases or upload (write) files to site folder(s), the file and/or directory access permissions almost always need to be set open enough for the application to do its work. Unfortunately, this also allows any user with access to the Web server to read and/or modify files. Website vandals take advantage of this exploit to modify both the user's own website and other sites on the same server.

With SUPHP, the file permissions can then be set so that only the user can read the file, and the SUPHP page can write in any location where the owner can write.

Note: If you need a generalized CGI solution for your web pages please see our SUCGI page.
Get Started with SUPHP

1. Replace the .php file extension with the .suphp extension.
2. Make sure the file owner id matches your computing ID.
3. Set file permission(s) to allow read access only by you (e.g., chmod 600 filename.suphp).

Note: If you're using a package downloaded from the Internet, you will need to analyze the files provided. Rename files as mentioned above, and then go through all of the remaining code to replace references to filename.php with references to filename.suphp.

If renaming with .suphp file extension is not possible, you can modify the way the Web server handles all files in your directory with the .php file extension by adding the following to an .htaccess file in the directory:

AddHandler su-php-script .php

The other requirements of SUPHP still apply. Note that using this means that all PHP programs anywhere under this directory will now run as CGI through the SUPHP interface.
Requirements

* The PHP script must be valid PHP 5. The suphp module runs PHP 5 rather than the standard PHP on the server (on most ITC maintained machines the standard PHP is version 4).
* The PHP file must have the .suphp extension unless using the AddHandler directive described above.
* The file must be saved in the standard Web server document areas: /www/doc/, /www/doc_ssl/, the user's public_html directory, or sub-directories within these locations.
* The reference cannot be made via a symbolic link to the file.
* The file must have owner permission to read set (e.g., chmod u+r filename.suphp or chmod 400 filename.suphp).
* The file can allow writing by the owner and the owner's group subject to limitations below.
* The directory containing the file can be writeable by the owner and the group, but not by any other users.
* The file itself and the directory it is in must have matching user and group ownership. (when access by the Web server the file will be run using the user and group ownership of the file).
* The file must not have UNIX file permissions set to force the user id or group id when run.

The user id and group id of the files and directories need to meet additional restrictions:

* The user id must be a member of the group id used.
* The user id cannot be in the list of administrative ids (those which have a numerical version of the id less than 500).
* The group id cannot be in the list of administrative groups (those with have a numerical version of the id less than 100.
* The id command on blue.unix will give you the numeric versions of your [owner] ID and the numeric ids for groups to which you belong.

Managing Access Permissions and Ownership

* Permissions (read/write/execute) can be changed from the Home Directory Administrative Interface.
* User ownership can only be changed by the system administrator or by removing files and having the correct owner create them.
* Group ownership can be changed with the chgrp command when logged into UNIX server (blue.unix.virginia.edu for the majority of websites on Grounds).
* If your standard UNIX group is usr (which is common for many users), you will need to create a new group with MyGroups. Add yourself as a member to that group.

Moving PHP Configuration out of .htaccess Files

SUPHP does not see PHP configurations in .htaccess files, such as php_flag or php_value. You need to move these into the PHP script itself, using the PHP ini_set() function. For example,

* change php_flag register_globals On in .htaccess to ini_set("register_globals", "On"); in your PHP script.
* change php_value include_path "dir1:dir2" in .htaccess to ini_set("include_path", "dir1:dir2"); in your PHP script.

Using SUPHP with NetBadge Authentication

If your SUPHP script is authenticated by NetBadge, then the user will be required to login, but your SUPHP script will not receive the user name in $_SERVER['REMOTE_USER']. This happens because your script is run with unauthenticated SUPHP, which is the default. To fix this problem, you must put these lines in your .htaccess file to use NetBadge authenticated SUPHP.

Action su-php-script /server-cgi/netbadge/suphp
PubcookieAppId sunetbadge