Re: [PHP-DEV] why the damn phpinfo() is so talkative? + answers From: Ron Chmara (ron <email protected>)
Date: 10/20/00

Kristian Köhntopp wrote:
> Andi Gutmans wrote:
> > I think it should be done on the user level like you
> > pointed out below. We could put such a suggestion in
> > the manual (to run with env -i).
> This is by far not enough. If you are going to
> put a chapter on safe deployment policies

http://www.php.net/manual/security.php
Already started.

> into
> the manual, you need to differentiate along
> Windows and Unix systems,

Partially in there (not directly, though, as binary vs CGI)

> and along CGI and
> module versions of PHP.

In there.

> You'd want to talk about
> properties and limitations of safe_mode,

Not in there.

> about
> Unix process limits such as setrlimit and chroot,
> about typical additional safeguards for system
> security such as "env -i", "suexec replaced by
> sbox, using chroot", about the need to differentiate
> anonymous root (http docroot) vs. authenticated root
> (ftp chroot, being one level ABOVE docroot in order
> to make directories without unauthenticated access
> available) and the need to store logfiles and
> configuration files outside of docroot.

Not in there. It looks like a runtime-configuration page
needs to be added to the security section.

> Also, there should be talk about secure PHP programming,

In there.

> touching not only system level security as above,
> but also application level security.

In there.

> The section should
> be talking about control flow analysis, tainted variables,
> input validation with regexp and other stuff,

Partially in there....
The approach I was taking was more granular, discusssing
security on a per-page level (as any other security is subject to
page-jumping and bookmarking), and basic philosophy. We cannot
ever tell somebody how to build an unbreakable chain, but we
can teach them basic philosophy.

> avoiding
> register_globals = On in order to facilitate that,

Suggested, by my favorite PHP crtitic, but not yet added.

> writing
> programs in PHP normal form, event driven programming
> and validation methods

This is methodology which may exceed the level of programming
many PHP users are at.... (er.. PHP normal form?)

> and finally designing secure and
> ergonomic URLs for your application access...
>
> You could, on the other hand, just buy the book by Till
> and Tobias, which already covers most of this.

True. The manual cannot be all things to all people. I've gradually
been building the security section as I have time... but it's open source,
and anyone with CVS access can add to it as they see fit. :-)

-Ronabop 

--
Brought to you from boop!, the dual boot Linux/Win95 Compaq Presario 1625
laptop, currently running RedHat 6.1. Your bopping may vary.

-- 
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, e-mail: php-dev-unsubscribe <email protected>
For additional commands, e-mail: php-dev-help <email protected>
To contact the list administrators, e-mail: php-list-admin <email protected>