Shell exec security

Discussion in 'Installation/Configuration' started by Tristrente, May 9, 2020.

  1. Tristrente

    Tristrente New Member

    I noticed that under a website (let's call it, I can do the following :
    • shell_exec('ls /var/www')
    • shell_exec('cat /var/www/')
    Is this intended ? How can I prevent that ?
  2. branov

    branov Member

    It is up to you how you can configure your PHP. If you want to disable shell_exec function, just change your php.ini and add

    disable_functions = shell_exec
    or any other functions you want to disable. You can also configure disable_functions per vhost in ispconfig, in site edit -> Options tab and Custom php.ini settings
  3. Tristrente

    Tristrente New Member

    Ok for this type of configuration, but in common CMS (Joomla, Prestashop), this function (or others like "exec") are required.
    I think it is a good thing that it is available, but I would to prevent abuse.
    open_basedir is only applicable for php includes and executions, is there a solution for shell commands (as global configuration if possible)?
  4. branov

    branov Member

    As I wrote to you before, you can limit allowed php functions per vhost, if you are not satisfied with global disable. There is no easy way how to prevent php exec functions to access out of their directories or execute dangerous system commands. The one possible way is to use PHP-FPM with "Chroot PHP" options (when you enable PHP-FPM for website, on the Options tab will be available Chroot option). In this kind of configuration, will be available only what is inside the website chroot.
  5. Tristrente

    Tristrente New Member

    I will take a look at PHP-FPM with "Chroot PHP"
    Thank you :)
  6. Tristrente

    Tristrente New Member

    PHP-FPM and Chroot PHP have led me to other problems, so I will not go down this path there. I think this can be a good solution on a new server, but there I already have thirty sites running, I am afraid of having compatibility problems.

    For security, I added the following line in my crontab:
    30 * * * * chmod o-rw /var/www/clients/*/web*/* -R

    This seems to me a good compromise to ensure that the content of the sites is not readable by other clients via a shell exec command.
    What do you think ?
  7. till

    till Super Moderator Staff Member ISPConfig Developer

    This option gets enabled in the site settings and not globally, so if you turn it on for one site, no other site can be affected. In general, a CMS should not require shell exec as there is no need to run any shell scripts from cms, you should try to turn all exec functions in PHP off site by site and see if it really affects a site or not.

Share This Page