vendredi 27 mars 2015

How to use php include to build a secure environment

I think this is a 'simple' question but I would like to have a correct vision of the problem.


I created an EC2 instance on Amazon using Amazon Linux AMI. Then I installed Apache and php55 like per instructions on http://ift.tt/1aE3oJu I also setted permission on /var/www directories as per same guide



[ec2-user ~]$ sudo groupadd www
[ec2-user ~]$ sudo usermod -a -G www ec2-user
[ec2-user ~]$ sudo chown -R root:www /var/www
[ec2-user ~]$ sudo chmod 2775 /var/www
[ec2-user ~]$ find /var/www -type d -exec sudo chmod 2775 {} +
[ec2-user ~]$ find /var/www -type f -exec sudo chmod 0664 {} +


Let's consider this scenario. It is only for testing purpose... then we will implement the real application:



  • I have a php web application that has one configuraton file config.php where we store some important info for security of the application, like db credential, login criteria.

  • To protect it, I putted the config.php in a "/matteotest" directory under /var/ setted 755; I created /matteotest outside document root to increase security

  • In some files I included the config.php

  • the config.php is actually setted 404 so that I will upgrade to 604 only if I will need some changes and then I will downgrade again to 404


Here what I did in detail:


in document root I created 2 files. Both files have 664 permission; owner = ec2-user and group = www


//index.php



<?php
/**
 * Created by PhpStorm.
 * User: matteolatitude
 * Date: 26/03/15
 * Time: 1.12
 */

include($_SERVER["DOCUMENT_ROOT"].'/global.php');
include(PHP_FILES_PATH.'config.php');
echo '</br>';

for ($i = 1; $i <= 10; $i++) {
    echo $i;
}
echo('Calculated result: '.$somma.'</br>');


//global.php



<?php
/**
 * Created by PhpStorm.
 * User: matteolatitude
 * Date: 26/03/15
 * Time: 12.36
 */
define('PHP_FILES_PATH', '/var/matteotest/');


Then I created /var/matteotest dir with owner=root and group=root with 755 permission. Then in /var/matteotest I saved config.php; this file is only a test; in real app I will use it to store for example db connection data. owner = root and group = root



config.php

<?php
/**
 * Created by PhpStorm.
 * User: matteolatitude
 * Date: 26/03/15
 * Time: 1.15
 */

// vediamo se esegue anche questo script
for ($k = 1; $k <= 4; $k++) {
    $somma .= $k*2;
}


I would like to know


1) Is include($_SERVER["DOCUMENT_ROOT"].'/global.php') seems to be a good and secure choice? Is there a bettere and more secure method?


2) Are my permissions (and also owner and groups) a good choice or you would have done in a different way?


As you can see I'm very interested in security...


Thanks a lot, Matt





Publié par à
Libellés :

Aucun commentaire:

Enregistrer un commentaire

Inscription à : Publier les commentaires (Atom)