1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Is proc_open safe?

Discussion in 'Security' started by dusanf, Oct 28, 2010.

  1. dusanf

    dusanf New Member

    Joined:
    Jul 22, 2009
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    1
    Hi, can anyone tell me is proc_open php function safe to be enabled on shared hosting server? Im using suPHP but i need proc_open because on same server i use centova cast for streaming.
     
  2. cPanelTristan

    cPanelTristan Active Member
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,621
    Likes Received:
    4
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    It normally can be disabled for security reasons. There are some security concerns you can find online for discussions about it such as this one from 2008:

    PHP proc_open() safe_mode bypass - security vulnerabilities database

    I'd suggest disabling it for all the accounts and then allowing only one account to run it. As you are using suPHP, you could try doing it this way following my guide. Pick the method corresponding to your PHP version (5.3+ or 5.2 or earlier):

    http://forums.cpanel.net/f185/metho...ricting-who-can-use-php-ini-files-167186.html

    For those using DSO, the following method could be done:

    1. Install suHosin

    First, check if suHosin is already installed:

    Code:
    php -v
    If you see something like the following, then it's already there:

    Code:
    # php -v
    PHP 5.2.9 (cli) (built: Dec 25 2009 12:43:49) 
    Copyright (c) 1997-2009 The PHP Group
    Zend Engine v2.2.0, Copyright (c) 1998-2009 Zend Technologies
        with Suhosin v0.9.32.1, Copyright (c) 2007-2010, by SektionEins GmbH
    If it isn't installed, run this command:

    Code:
    /scripts/phpextensionmgr install PHPSuHosin
    After it's been added to /usr/local/lib/php.ini, then add the following line to /usr/local/lib/php.ini:

    Code:
    suhosin.executor.func.blacklist = "proc_open"
    Please comment out disable_functions if you were using that previously. Anything you had in disable_functions would go into the suhosin.executor.func.blacklist now.

    After making that change to disable proc_open globally, then create the following for the account you will be allowing to have proc_open available:

    Code:
    mkdir -p /usr/local/apache/conf/userdata/std/2/username
    touch /usr/local/apache/conf/userdata/std/2/username/suhosin.conf
    echo 'php_admin_flag suhosin.executor.func.blacklist "proc_open"' > /usr/local/apache/conf/userdata/std/2/username/suhosin.conf
    For the above, std represents http. If you need this for https, you'd do ssl for the path. 2 represents Apache 2 and 2.2, if you are using Apache 1, then you'd use 1 for the path. username is the cPanel username for the account.

    Now, run the following command to verify the include:

    Code:
    /scripts/verify_vhost_includes
    If each checks out OK, you'd then run this command to check this include into the system:

    Code:
    /scripts/ensure_vhost_includes --user=username
    Now, rebuild Apache and restart it (rebuilding isn't entirely necessary in this instance, but I normally just do it as a precaution to ensure everything is working fine):

    Code:
    /scripts/rebuildhttpdconf
    /etc/init.d/httpd restart
    Then that one account should work under DSO PHP handler for proc_open while all others will not be able to use it.

    I cannot state for FCGI and CGI how to accomplish this. Under PHP 5.3, it might be possible to use the method I mention in my suPHP guide that I linked to earlier.
     
  3. dusanf

    dusanf New Member

    Joined:
    Jul 22, 2009
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    1
  4. cPanelTristan

    cPanelTristan Active Member
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,621
    Likes Received:
    4
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    How is it not very safe precisely? If you have mod_userdir active, that isn't safe (PCI compliance scans fail when mod_userdir is enabled), so that should be disabled.

    If you are talking about the second issue where new accounts aren't going to get the restriction, that can be resolved by simply running the command whenever you create a new account to restrict it. Otherwise, you can do this to actually force it to work for new accounts (I found about this after I created that how-to):

    Edit /usr/local/cpanel/etc/httptemplates/apache2_2/default file and find this line:

    Code:
        <IfModule mod_suphp.c>
            suPHP_UserGroup %user% %user%
        </IfModule>
    Change to this line:

    Code:
      <IfModule mod_suphp.c>
            suPHP_UserGroup %user% %user%
            suPHP_ConfigPath /usr/local/lib/
        </IfModule>
    Then add the file to the global exclude for cPanel so it isn't overwritten:

    Code:
    echo "/usr/local/cpanel/etc/httptemplates/apache2_2/default" >> /etc/cpanelsync.exclude
    This should work, although I haven't tested the exclude part yet.

    If you meant something else is a security concern, please specify. I don't see what else could possibly be.
     
  5. dusanf

    dusanf New Member

    Joined:
    Jul 22, 2009
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    1
    Sorry i meant to say that second issue with new accounts, thanks for that info, you should probobly update your post in that tutorial, of course, only part for new accounts. :)

    Thanks again.
     

Share This Page