Fix Log Rotation Problems Published: Jul 14, 2004
  • Rating


A lot of sites talk about securing PHP but just refer to different compiling options. I don't care about those, I want to secure php.ini itself so you don't have to recompile PHP to help make it more secure.

Securing PHP

Well PHP is one of the most popular applications that run on Linux and Windows servers today. It's also one of the main sources for servers and user accounts getting compromised. I want to go over some of the things you can do to help lock down PHP, securing php and securing php.ini

First off you want to figure out how you can edit php.ini This is the main configuration file for PHP. You can find it by logging into shell and typing in the following:

# php -i |grep php.ini

Turn on safe_mode

Safe mode is an easy way to lock down the security and functions you can use. explains php safe_mode as, "The PHP safe mode is an attempt to solve the shared-server security problem. It is architecturally incorrect to try to solve this problem at the PHP level, but since the alternatives at the web server and OS levels aren't very realistic, many people, especially ISP's, use safe mode for now."

I highly recommend you enable safe_mode on production servers, especially in shared environments. This will stop exec functions and others that can easily prevent a security breach.

See our article on Customizing PHP Safe Mode

Disable Dangerous PHP Functions

PHP has a lot of potential to mess up your server and hack user accounts and even get root. I've seen many times where users use an insecure PHP script as an entry point to a server to start unleashing dangerous commands and taking control.

Search the php.ini file for:
disable_functions =

Add the following:

disable_functions = dl,system,exec,passthru,shell_exec

Turn off Register Globals

Register_globals will inject your scripts with all sorts of variables, like request variables from HTML forms. This coupled with the fact that PHP doesn't require variable initialization means writing insecure code is that much easier.

register_globals = On

Replace it with

register_globals = Off

Run PHP through PHPsuexec Preventing Nobody Access

The biggest problem with PHP is that on cPanel servers is that PHP will run as nobody. When someone sets a script to 777 access that means the nobody user has write access to that file. So if someone on the same shared server wrote a script to search the system for 777 files they could inject anything they wanted, compromising the unsuspecting users account.

PHPsuexec makes PHP run as the user so 777 permissions are not allowed. There are a few downfalls to PHPsuexec but I think it's required on a shared environment for the security of everyone.  Safe_mode doesn't prevent you from compromising other users files. This is where PHPsuexec comes in, it stops the user from being able to read another users files. It also makes it easier for you, the administrator, to track PHP mail function spamming and lots of other issues caused by PHP scripts because now you can easily track it ot the users account responsible.

For this you will need to recompile PHP with suexec. On cPanel /scripts/easyapach has this build in.

I hope this has summed up some of the things you can do to help secure PHP on your server. There's also open_base protection which you can use to prevent users from reading other users files.

About the Author:
Steven Leggett is the editor of the server resource and hosting tutorial site, and specializes in system administration and web development.

  • Rating


Related Articles

Comments (6)

  • Gravatar - Nicholas Tritchew
    Nicholas Tritchew 16:39, August 4, 2004
    For the: Home / Hosting Tutorials / Cpanel Tutorials / Fix Log Rotation Problems <br />
    <br />
    I was curious if this log rotate procedure outlined deletes the previous log files when it rotates.<br />
    <br />
    Or does it compress the previous log, stores it in a archive folder, and then creates a new log?<br />
    <br />
  • Gravatar - Vince
    Vince 21:53, August 8, 2004
    Hi,<br />
    <br />
    Prior that you mention this:<br />
    "but if you do find some more, please drop me a line so I can update the article."<br />
    <br />
    We have a file xferlog in our /var/log directory.<br />
    <br />
    /var/log/xferlog<br />
    This is about 8MB now.<br />
    <br />
    Can we apply the log rotate which you have provide in<br />
    <br />
    pico /etc/logrotate.conf<br />
    add the below entry:<br />
    <br />
    /usr/local/cpanel/logs/error_log {<br />
    weekly<br />
    rotate 1<br />
    }<br />
    <br />
    Thanks for your advise.<br />
    Sincerely,<br />
    Vincent Kam<br />
    <br />
    <br />
  • Gravatar - Diana Ward
    Diana Ward 20:48, December 23, 2004
    You are quickly becoming my guru! Thank you!
  • Gravatar - tc
    tc 02:18, February 23, 2006
    i use cpanel and the logs for my websites are located at: /usr/local/apache/domlogs/<br />
    <br />
    They are getting rotated. I'm not sure how but they all go back to January 31 and today is February 22. 2006.<br />
    <br />
    This article is old, maybe its out of date as cPanel has gone through a lot of updates. So I'm posting this comment to let others know things may be different.<br />
  • Gravatar - Flash Alexander
    Flash Alexander 15:01, May 28, 2006
    The first instruction refers to apache 'system' logs. Therefore I read it to not cover the 'domlogs'. <br />
    <br />
    Should I also include a line for the domlogs?
  • Gravatar - Louish
    Louish 17:50, January 19, 2009
    My problem isn't the /usr/local/cpanel/logs/ log files, its the ones in /usr/local/apache/logs/ that are huge.<br />
    <br />
    I've had 3 servers lock up because the error_log has gotten over 2 gigs. Can I simply change your weekly rotate 1 code to point to the apache folder? Or is something else special needed?

Add Your Thoughts is a hosting directory, not a web host.

Copyright © 1998-2023