Is proc_open safe?

[dusanf]

Hi, can anyone tell me is proc_open php function safe to be enabled on shared hosting server? Im using suPHP but i need proc_open because on same server i use centova cast for streaming.

[cPanelTristan]

It normally can be disabled for security reasons. There are some security concerns you can find online for discussions about it such as this one from 2008:

PHP proc_open() safe_mode bypass - security vulnerabilities database

I'd suggest disabling it for all the accounts and then allowing only one account to run it. As you are using suPHP, you could try doing it this way following my guide. Pick the method corresponding to your PHP version (5.3+ or 5.2 or earlier):

http://forums.cpanel.net/f185/method...es-167186.html

For those using DSO, the following method could be done:

1. Install suHosin

First, check if suHosin is already installed:

Code:

php -v

If you see something like the following, then it's already there:

Code:

# php -v
PHP 5.2.9 (cli) (built: Dec 25 2009 12:43:49) 
Copyright (c) 1997-2009 The PHP Group
Zend Engine v2.2.0, Copyright (c) 1998-2009 Zend Technologies
    with Suhosin v0.9.32.1, Copyright (c) 2007-2010, by SektionEins GmbH

If it isn't installed, run this command:

Code:

/scripts/phpextensionmgr install PHPSuHosin

After it's been added to /usr/local/lib/php.ini, then add the following line to /usr/local/lib/php.ini:

Code:

suhosin.executor.func.blacklist = "proc_open"

Please comment out disable_functions if you were using that previously. Anything you had in disable_functions would go into the suhosin.executor.func.blacklist now.

After making that change to disable proc_open globally, then create the following for the account you will be allowing to have proc_open available:

Code:

mkdir -p /usr/local/apache/conf/userdata/std/2/username
touch /usr/local/apache/conf/userdata/std/2/username/suhosin.conf
echo 'php_admin_flag suhosin.executor.func.blacklist "proc_open"' > /usr/local/apache/conf/userdata/std/2/username/suhosin.conf

For the above, std represents http. If you need this for https, you'd do ssl for the path. 2 represents Apache 2 and 2.2, if you are using Apache 1, then you'd use 1 for the path. username is the cPanel username for the account.

Now, run the following command to verify the include:

Code:

/scripts/verify_vhost_includes

If each checks out OK, you'd then run this command to check this include into the system:

Code:

/scripts/ensure_vhost_includes --user=username

Now, rebuild Apache and restart it (rebuilding isn't entirely necessary in this instance, but I normally just do it as a precaution to ensure everything is working fine):

Code:

/scripts/rebuildhttpdconf
/etc/init.d/httpd restart

Then that one account should work under DSO PHP handler for proc_open while all others will not be able to use it.

I cannot state for FCGI and CGI how to accomplish this. Under PHP 5.3, it might be possible to use the method I mention in my suPHP guide that I linked to earlier.

[dusanf]

First i tryed to use php.ini file for all accounts globally and allowed one account to have its own php.ini but then i found out that it wont be very safe (see http://forums.cpanel.net/f185/method...es-167186.html part "Two Important Notes on Above Method")

[cPanelTristan]

How is it not very safe precisely? If you have mod_userdir active, that isn't safe (PCI compliance scans fail when mod_userdir is enabled), so that should be disabled.

If you are talking about the second issue where new accounts aren't going to get the restriction, that can be resolved by simply running the command whenever you create a new account to restrict it. Otherwise, you can do this to actually force it to work for new accounts (I found about this after I created that how-to):

Edit /usr/local/cpanel/etc/httptemplates/apache2_2/default file and find this line:

Code:

    <IfModule mod_suphp.c>
        suPHP_UserGroup %user% %user%
    </IfModule>

Change to this line:

Code:

  <IfModule mod_suphp.c>
        suPHP_UserGroup %user% %user%
        suPHP_ConfigPath /usr/local/lib/
    </IfModule>

Then add the file to the global exclude for cPanel so it isn't overwritten:

Code:

echo "/usr/local/cpanel/etc/httptemplates/apache2_2/default" >> /etc/cpanelsync.exclude

This should work, although I haven't tested the exclude part yet.

If you meant something else is a security concern, please specify. I don't see what else could possibly be.

[dusanf]

Sorry i meant to say that second issue with new accounts, thanks for that info, you should probobly update your post in that tutorial, of course, only part for new accounts.

Thanks again.