Server support blog

As we know from original article using Apache, PHP in CGI mode along with suExec gives us 2 important security advantages:
– suExec allows to run PHP process with (only) the file owner user privileges, enforcing proper permissions on PHP scripts and thus allowing to avoid cross-site exploits on the server that is running multiple dynamic web sites;
– per site php.ini.
That gives some unique opportunities for securing separate web sites on the server.

Easier way is to use the pricinple of the least privilege. For the impatient, who can not go the read the article the idea is simple – give the site the least possible privileges that required to function properly and disable everything else. I am talking about disable_functions.
What to disable exactly? Unfortunately most of the modern PHP scripts are written without security in mind so YMMV.

• Light and essential (taken from here)
  Shell

  disable_functions="exec,eval,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source"

  1	disable_functions="exec,eval,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source"

  . Affects only most dangerous functions but still might break some Wordpress plugins (and will definitely break vbulletin, that uses eval).

• more deep, enablig PHP functions on the “least privilege” basis. (You will need to adjust this list to exclude functions that are used in your PHP sccitps, unfortunately if it is third party script the only way to find out would be “trial and error”)
  Shell

  disable_functions="system,passthru,exec,popen,proc_close,proc_open,proc_get_status,proc_nice,proc_terminate,shell_exec,highlight_file,escapeshellcmd,pclose,chgrp,chmod,debugger_off,debugger_on,leak,listen,define_syslog_variables,ftp_exec,posix_uname,posix_getpwuid,get_current_user,getmyuid,getmygid,apache_child_terminate,posix_kill,posix_mkfifo,posix_setpgid,posix_setsid,posix_setuid,escapeshellarg,getservbyport,getservbyname,myshellexec,escapeshellarg,chmod,disk_free_space,disk_total_space,get_cfg_var,show_source,dl,symlink,php.ini,listen,syslog,php_ini_scanned_files,inurl,apache_setenv,closelog,zip_open,zip_read,rar_open,bzopen,bzread,bzwrite,shellcode,show_source,apache_get_modules,apache_get_version,apache_note,openlog,crack_check,crack_closedict,pcntl_exec,ini_alter,backtick,cmd,virtual,getservbyport,getservbyname,myshellexec,hypot,pg_host,phpini,link,readlink,syslog,id,ftok,posix_access,phpinfo,error_log,sym,php_u,psockopen,apache_child_k_closedict,crack_getlastmessage,crack_opendict,php_ini,ini_restore,curl_setopt,curl_init,curl_exec,copy"

  1

  disable_functions="system,passthru,exec,popen,proc_close,proc_open,proc_get_status,proc_nice,proc_terminate,shell_exec,highlight_file,escapeshellcmd,pclose,chgrp,chmod,debugger_off,debugger_on,leak,listen,define_syslog_variables,ftp_exec,posix_uname,posix_getpwuid,get_current_user,getmyuid,getmygid,apache_child_terminate,posix_kill,posix_mkfifo,posix_setpgid,posix_setsid,posix_setuid,escapeshellarg,getservbyport,getservbyname,myshellexec,escapeshellarg,chmod,disk_free_space,disk_total_space,get_cfg_var,show_source,dl,symlink,php.ini,listen,syslog,php_ini_scanned_files,inurl,apache_setenv,closelog,zip_open,zip_read,rar_open,bzopen,bzread,bzwrite,shellcode,show_source,apache_get_modules,apache_get_version,apache_note,openlog,crack_check,crack_closedict,pcntl_exec,ini_alter,backtick,cmd,virtual,getservbyport,getservbyname,myshellexec,hypot,pg_host,phpini,link,readlink,syslog,id,ftok,posix_access,phpinfo,error_log,sym,php_u,psockopen,apache_child_k_closedict,crack_getlastmessage,crack_opendict,php_ini,ini_restore,curl_setopt,curl_init,curl_exec,copy"

• using Suhosin, PHP security extension, and reducing PHP scripts privileges using suhosin configuration. (taken from here). Obviously you will need to have shared suhosin extension binary installed on the system.
  Shell

  extension=suhosin.so suhosin.log.syslog.facility = 9 suhosin.log.use-x-forwarded-for = Off suhosin.executor.max_depth = 0 suhosin.executor.include.max_traversal = 4 suhosin.executor.disable_emodifier = Off suhosin.executor.allow_symlink = Off suhosin.apc_bug_workaround = Off suhosin.sql.bailout_on_error = Off suhosin.multiheader = On suhosin.mail.protect = 1 suhosin.memory_limit = 80 suhosin.session.encrypt = On suhosin.session.cryptua = On suhosin.session.cryptdocroot = On suhosin.session.cryptraddr = 0 suhosin.cookie.encrypt = On suhosin.cookie.cryptua = On suhosin.cookie.cryptraddr = 0 suhosin.cookie.max_array_depth = 100 suhosin.cookie.max_array_index_length = 64 suhosin.cookie.max_name_length = 64 suhosin.cookie.max_totalname_length = 256 suhosin.cookie.max_value_length = 10000 suhosin.cookie.max_vars = 100 suhosin.cookie.disallow_nul = On suhosin.get.max_array_depth = 50 suhosin.get.max_array_index_length = 64 suhosin.get.max_name_length = 64 suhosin.get.max_totalname_length = 256 suhosin.get.max_value_length = 512 suhosin.get.max_vars = 100 suhosin.get.disallow_nul = On suhosin.post.max_array_depth = 100 suhosin.post.max_array_index_length = 64 suhosin.post.max_totalname_length = 256 suhosin.post.max_value_length = 65000 suhosin.post.disallow_nul = On suhosin.upload.max_uploads = 25 suhosin.upload.disallow_elf = On suhosin.upload.disallow_binary = Off suhosin.upload.remove_binary = Off suhosin.session.max_id_length = 128 suhosin.request.max_array_depth = 100 suhosin.request.max_array_index_length = 64 suhosin.request.max_totalname_length = 256 suhosin.request.max_value_length = 65000 suhosin.request.max_varname_length = 64 suhosin.request.disallow_nul = On suhosin.executor.func.blacklist = system,passthru,exec,popen,proc_close,proc_open,proc_get_status,proc_nice,proc_terminate,shell_exec,highlight_file,escapeshellcmd,pclose,chgrp,chmod,debugger_off,debugger_on,leak,listen,define_syslog_variables,ftp_exec,posix_uname,posix_getpwuid,get_current_user,getmyuid,getmygid,apache_child_terminate,posix_kill,posix_mkfifo,posix_setpgid,posix_setsid,posix_setuid,escapeshellarg,getservbyport,getservbyname,myshellexec,escapeshellarg,chmod,disk_free_space,disk_total_space,get_cfg_var,show_source,dl,symlink,php.ini,listen,syslog,php_ini_scanned_files,inurl,apache_setenv,closelog,zip_open,zip_read,rar_open,bzopen,bzread,bzwrite,shellcode,show_source,apache_get_modules,apache_get_version,apache_note,openlog,crack_check,crack_closedict,pcntl_exec,ini_alter,backtick,cmd,virtual,getservbyport,getservbyname,myshellexec,hypot,pg_host,phpini,link,readlink,syslog,id,ftok,posix_access,phpinfo,error_log,sym,php_u,psockopen,apache_child_k_closedict,crack_getlastmessage,crack_opendict,php_ini,ini_restore,curl_setopt,curl_init,curl_exec,copy suhosin.simulation = Off

  1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51

  extension=suhosin.so suhosin.log.syslog.facility = 9 suhosin.log.use-x-forwarded-for = Off suhosin.executor.max_depth = 0 suhosin.executor.include.max_traversal = 4 suhosin.executor.disable_emodifier = Off suhosin.executor.allow_symlink = Off suhosin.apc_bug_workaround = Off suhosin.sql.bailout_on_error = Off suhosin.multiheader = On suhosin.mail.protect = 1 suhosin.memory_limit = 80 suhosin.session.encrypt = On suhosin.session.cryptua = On suhosin.session.cryptdocroot = On suhosin.session.cryptraddr = 0 suhosin.cookie.encrypt = On suhosin.cookie.cryptua = On suhosin.cookie.cryptraddr = 0 suhosin.cookie.max_array_depth = 100 suhosin.cookie.max_array_index_length = 64 suhosin.cookie.max_name_length = 64 suhosin.cookie.max_totalname_length = 256 suhosin.cookie.max_value_length = 10000 suhosin.cookie.max_vars = 100 suhosin.cookie.disallow_nul = On suhosin.get.max_array_depth = 50 suhosin.get.max_array_index_length = 64 suhosin.get.max_name_length = 64 suhosin.get.max_totalname_length = 256 suhosin.get.max_value_length = 512 suhosin.get.max_vars = 100 suhosin.get.disallow_nul = On suhosin.post.max_array_depth = 100 suhosin.post.max_array_index_length = 64 suhosin.post.max_totalname_length = 256 suhosin.post.max_value_length = 65000 suhosin.post.disallow_nul = On suhosin.upload.max_uploads = 25 suhosin.upload.disallow_elf = On suhosin.upload.disallow_binary = Off suhosin.upload.remove_binary = Off suhosin.session.max_id_length = 128 suhosin.request.max_array_depth = 100 suhosin.request.max_array_index_length = 64 suhosin.request.max_totalname_length = 256 suhosin.request.max_value_length = 65000 suhosin.request.max_varname_length = 64 suhosin.request.disallow_nul = On suhosin.executor.func.blacklist = system,passthru,exec,popen,proc_close,proc_open,proc_get_status,proc_nice,proc_terminate,shell_exec,highlight_file,escapeshellcmd,pclose,chgrp,chmod,debugger_off,debugger_on,leak,listen,define_syslog_variables,ftp_exec,posix_uname,posix_getpwuid,get_current_user,getmyuid,getmygid,apache_child_terminate,posix_kill,posix_mkfifo,posix_setpgid,posix_setsid,posix_setuid,escapeshellarg,getservbyport,getservbyname,myshellexec,escapeshellarg,chmod,disk_free_space,disk_total_space,get_cfg_var,show_source,dl,symlink,php.ini,listen,syslog,php_ini_scanned_files,inurl,apache_setenv,closelog,zip_open,zip_read,rar_open,bzopen,bzread,bzwrite,shellcode,show_source,apache_get_modules,apache_get_version,apache_note,openlog,crack_check,crack_closedict,pcntl_exec,ini_alter,backtick,cmd,virtual,getservbyport,getservbyname,myshellexec,hypot,pg_host,phpini,link,readlink,syslog,id,ftok,posix_access,phpinfo,error_log,sym,php_u,psockopen,apache_child_k_closedict,crack_getlastmessage,crack_opendict,php_ini,ini_restore,curl_setopt,curl_init,curl_exec,copy suhosin.simulation = Off

  This setup works in most usage scenarios, however this article concentrates on some details to pay attention to when you are planning to deploy Suhosin on your server.
  Quick Tip: you can turn suhosin.simulation flag to “on” and disable all suhosin functionality at once, while you still have it’s logging running.