Results 1 to 5 of 5

Thread: Is proc_open safe?

  1. #1
    Registered Member
    Join Date
    Jul 2009
    Posts
    11

    Default Is proc_open safe?

    Hi, can anyone tell me is proc_open php function safe to be enabled on shared hosting server? Im using suPHP but i need proc_open because on same server i use centova cast for streaming.

  2. #2
    cPanel Staff cPanelTristan's Avatar
    Join Date
    Oct 2010
    Location
    somewhere over the rainbow
    Posts
    7,610
    cPanel/WHM Access Level

    Root Administrator

    Default

    It normally can be disabled for security reasons. There are some security concerns you can find online for discussions about it such as this one from 2008:

    PHP proc_open() safe_mode bypass - security vulnerabilities database

    I'd suggest disabling it for all the accounts and then allowing only one account to run it. As you are using suPHP, you could try doing it this way following my guide. Pick the method corresponding to your PHP version (5.3+ or 5.2 or earlier):

    http://forums.cpanel.net/f185/method...es-167186.html

    For those using DSO, the following method could be done:

    1. Install suHosin

    First, check if suHosin is already installed:

    Code:
    php -v
    If you see something like the following, then it's already there:

    Code:
    # php -v
    PHP 5.2.9 (cli) (built: Dec 25 2009 12:43:49) 
    Copyright (c) 1997-2009 The PHP Group
    Zend Engine v2.2.0, Copyright (c) 1998-2009 Zend Technologies
        with Suhosin v0.9.32.1, Copyright (c) 2007-2010, by SektionEins GmbH
    If it isn't installed, run this command:

    Code:
    /scripts/phpextensionmgr install PHPSuHosin
    After it's been added to /usr/local/lib/php.ini, then add the following line to /usr/local/lib/php.ini:

    Code:
    suhosin.executor.func.blacklist = "proc_open"
    Please comment out disable_functions if you were using that previously. Anything you had in disable_functions would go into the suhosin.executor.func.blacklist now.

    After making that change to disable proc_open globally, then create the following for the account you will be allowing to have proc_open available:

    Code:
    mkdir -p /usr/local/apache/conf/userdata/std/2/username
    touch /usr/local/apache/conf/userdata/std/2/username/suhosin.conf
    echo 'php_admin_flag suhosin.executor.func.blacklist "proc_open"' > /usr/local/apache/conf/userdata/std/2/username/suhosin.conf
    For the above, std represents http. If you need this for https, you'd do ssl for the path. 2 represents Apache 2 and 2.2, if you are using Apache 1, then you'd use 1 for the path. username is the cPanel username for the account.

    Now, run the following command to verify the include:

    Code:
    /scripts/verify_vhost_includes
    If each checks out OK, you'd then run this command to check this include into the system:

    Code:
    /scripts/ensure_vhost_includes --user=username
    Now, rebuild Apache and restart it (rebuilding isn't entirely necessary in this instance, but I normally just do it as a precaution to ensure everything is working fine):

    Code:
    /scripts/rebuildhttpdconf
    /etc/init.d/httpd restart
    Then that one account should work under DSO PHP handler for proc_open while all others will not be able to use it.

    I cannot state for FCGI and CGI how to accomplish this. Under PHP 5.3, it might be possible to use the method I mention in my suPHP guide that I linked to earlier.
    cPResources: Support Options | More Support Options | Forums Search | cPanel.net Site Search | Mailing Lists(Alt) | Docs
    -- Tristan, Technical Analyst III, Forums Specialist, cPanel Tech Support

    Submit a ticket | Check an existing ticket

  3. #3
    Registered Member
    Join Date
    Jul 2009
    Posts
    11

    Default

    First i tryed to use php.ini file for all accounts globally and allowed one account to have its own php.ini but then i found out that it wont be very safe (see http://forums.cpanel.net/f185/method...es-167186.html part "Two Important Notes on Above Method")

  4. #4
    cPanel Staff cPanelTristan's Avatar
    Join Date
    Oct 2010
    Location
    somewhere over the rainbow
    Posts
    7,610
    cPanel/WHM Access Level

    Root Administrator

    Default

    How is it not very safe precisely? If you have mod_userdir active, that isn't safe (PCI compliance scans fail when mod_userdir is enabled), so that should be disabled.

    If you are talking about the second issue where new accounts aren't going to get the restriction, that can be resolved by simply running the command whenever you create a new account to restrict it. Otherwise, you can do this to actually force it to work for new accounts (I found about this after I created that how-to):

    Edit /usr/local/cpanel/etc/httptemplates/apache2_2/default file and find this line:

    Code:
        <IfModule mod_suphp.c>
            suPHP_UserGroup %user% %user%
        </IfModule>
    Change to this line:

    Code:
      <IfModule mod_suphp.c>
            suPHP_UserGroup %user% %user%
            suPHP_ConfigPath /usr/local/lib/
        </IfModule>
    Then add the file to the global exclude for cPanel so it isn't overwritten:

    Code:
    echo "/usr/local/cpanel/etc/httptemplates/apache2_2/default" >> /etc/cpanelsync.exclude
    This should work, although I haven't tested the exclude part yet.

    If you meant something else is a security concern, please specify. I don't see what else could possibly be.
    cPResources: Support Options | More Support Options | Forums Search | cPanel.net Site Search | Mailing Lists(Alt) | Docs
    -- Tristan, Technical Analyst III, Forums Specialist, cPanel Tech Support

    Submit a ticket | Check an existing ticket

  5. #5
    Registered Member
    Join Date
    Jul 2009
    Posts
    11

    Default

    Sorry i meant to say that second issue with new accounts, thanks for that info, you should probobly update your post in that tutorial, of course, only part for new accounts.

    Thanks again.

Similar Threads

  1. safe mode (on or off )
    By Rashad in forum cPanel & WHM Discussions
    Replies: 4
    Last Post: 03-05-2008, 12:30 AM
  2. safe to delete
    By Zion Ahead in forum cPanel & WHM Discussions
    Replies: 1
    Last Post: 09-20-2007, 07:01 PM
  3. proc_open() in .htaccess
    By bryanabhay in forum cPanel & WHM Discussions
    Replies: 2
    Last Post: 02-22-2007, 06:31 AM
  4. php.ini proc_open, proc_nice,
    By SACHIN in forum cPanel & WHM Discussions
    Replies: 0
    Last Post: 11-20-2006, 01:15 AM
  5. Is this safe to do
    By awsol in forum cPanel & WHM Discussions
    Replies: 4
    Last Post: 03-14-2002, 01:26 AM
bargain