URGENT: How do you prevent users from executing system calls with php/perl scripts ?

[guschi2k]

Hi everyone

The topic pretty much says everything. Is there a way to prevent users(customers) from executing system calls with php or cgi scripts ? is it even possible ?

a friend of mine wrote a little c program which simply uses all available ram and uploaded it via ftp (just as a client could do). and startet it via php. i had to request a manual reboot of my box, since i wasn't able to stop the script. absolutely nothing worked anymore. (i wasn't even able to login as root via ssh, because there wasn't enough memory available for this process)

so...is there a solution for this ? i don't want anyone to be able to execute shell commands, if shell access is disabled for his/her account.

thanks for any help

guschi

[nickn]

You can put "exec" and any other functions you would like to disable in this line :

Code:

; This directive allows you to disable certain functions for security reasons.
; It receives a comma-delimited list of function names. This directive is
; *NOT* affected by whether Safe Mode is turned On or Off.
disable_functions =

[guschi2k]

great ! thank you so much. now i can sleep peaceful

[nickn]

I failed to mention, this belongs in your php.ini, although you might have figured that out

[guschi2k]

yep figured it out myslef ... but what i couldn't figure out....which php.ini is the "used" one ?

/usr/lib/php.ini
/usr/local/lib/php.ini
/usr/local/cpanel/3rdparty/etc/php.ini
/usr/local/cpanel/3rdparty/lib/php.ini


i would guess it's /usr/lib/php.ini ...right ?

[nickn]

The best way to find out is to do a php info page.

Code:

<?php info()>

It'll tell you which one is used..

[guschi2k]

*lol stupid me....should have figured that out myself

thanks again

[GetWired]

That or use this app:

http://www.rfxnetworks.com/prm.php

Shut down any program/script that takes up more then an allowed percentage of cpu or memory.

That lets me sleep even better.

[casey]

Originally posted by GetWired
That or use this app:

http://www.rfxnetworks.com/prm.php

Shut down any program/script that takes up more then an allowed percentage of cpu or memory.

That lets me sleep even better.

Very cool. Are the default values okay for shared servers?
In particular, I notice that fantastico updates use quite a bit of resources for about 2 minutes. I don't want fantastico getting broken...

[rsaylor]

I heard that the user can upload a php.ini to there home directory and php will use that. Not sure if it is true or not but I think I read that in a phpsuexec post somewhere.

[casey]

Originally posted by rsaylor
I heard that the user can upload a php.ini to there home directory and php will use that. Not sure if it is true or not but I think I read that in a phpsuexec post somewhere.

It is true if you are using phpsuexec. If you are using the apache module, then they cannot do that, although they can change a few settings with a .htaccess file in that case.

[GetWired]

You can add fantastico or any other program on the safelist if you're worried about it being killed.

I never had a problem with it, so i'd say just leave it as it is unless you get problems. Default values are fine.