Hi Dne Sun, 3 Oct 2010 00:32:52 +0200 Jörg Sommer <jo...@alea.gnuu.de> napsal(a):
> would you add these options to the default settings of Apache's config
> for phpmyadmin? I'm running phpmyadmin with these options set and don't
> have any problems. Phpmyadmin uses not the PHP features url fopen or one
> of the functions to run a shell function or opening a socket to the
> outside. To make the live for bad boys harder they misuse functions of
> phpmyadmin, I think these features should be disabled. Also the
> restriction of open_basedir would be helpful.
>
> diff --git a/phpmyadmin/apache.conf b/phpmyadmin/apache.conf
> index 8c51ef4..16d5d49 100644
> --- a/phpmyadmin/apache.conf
> +++ b/phpmyadmin/apache.conf
> @@ -32,6 +32,11 @@ Alias /phpmyadmin /usr/share/phpmyadmin
> php_value display_errors Off
> php_flag log_errors On
> php_flag html_errors Off
> + php_admin_flag allow_url_fopen Off
This makes sense.
> + php_admin_flag safe_mode On
Safe mode is deprecated as of PHP 5.3.0, so it does not make sense to
enable it now.
> + php_admin_value upload_tmp_dir /tmp
> + php_admin_value open_basedir
> /usr/share/phpmyadmin/:/etc/phpmyadmin/:/var/lib/phpmyadmin/:/tmp/
I don't like overriding upload_tmp_dir from PHP configuration is a good
idea and without that I don't think it is possible to set open_basedir.
> + php_admin_value disable_functions
> exec,passthru,popen,proc_open,shell_exec,system,socket_create,fsockopen,pfsockopen
According to documentation "This directive must be set in php.ini For
example, you cannot set this in httpd.conf."
--
Michal Čihař | http://cihar.com | http://blog.cihar.com
signature.asc
Description: PGP signature
