Allow ini_set with Ruid2 + DSO + suEXEC?

[Rodrigo Gomes]

Hello!

I know this is a very recurring topic on the forum, but I researched a lot before posting.

Currently I see this alert in CSF:


My clients needs to use ini_set. But it's a shared environment and I can not leave any loophole that will overcome the security.

Of all the research in the forum, I did not find anything that answered my question. Or I did not fully understand.

It's safe to allow ini_set with Ruid2 + DSO + suEXEC?
If not, what worries should I have?

I disabled the following functions in my php.ini:

disable_functions = show_source, system, shell_exec, passthru, exec, popen, proc_open, symlink

And I do not want anyone to be able to turn those functions on again.
Bearing in mind that someone can compromise the entire system if they have access to these functions.

 

[cPanelMichael]

Hello,

This is discussed on the following thread:

disable ini_set, what are the risks?

You may also find this post helpful:

EA4 and securing PHP processes

Also, ensure you make modifications to the global php.ini files via:

"WHM Home » Software » MultiPHP INI Editor"

This will ensure the settings are saved to the correct locations.

Thank you.

 

[Rodrigo Gomes]

Hello @cPanelMichael,

Sorry for the ignorance on this subject, it's because it makes me very confused.

I read what you sent me, and I had even read it before creating this post and even then I still have questions.

Using ruid2 + DSO I protect the PHP processes, which runs as the user. That way, is it safe to keep ini_set enabled?
If I set disable_functions in "MultiPHP INI Editor" is it impossible for someone to override/disable this rule?

Thank you!

 

[cPanelMichael]

Hello,

The use of DSO/Ruid2 isn't necessarily a protection against ini_set values configured by a user. Most of the discussion on this topic centers around performance issues (e.g. a script enables the use of more resources through a PHP setting). I recommend reviewing the following PHP document to get a better idea of what the ini_set function can do:

PHP: ini_set - Manual

Then, you can review the following documents to see which values are adjustable with ini_set:

PHP: List of php.ini directives - Manual
PHP: Where a configuration setting may be set - Manual

This is ultimately a system administration choice that's up to you. You may want to consult with a qualified system administrator or security expert to determine what would work best for your particular server.

Thank you.

 

[Rodrigo Gomes]

Hello Michael,

You helped me a lot, as always.

Even security experts need to learn somewhere, right?
I read a lot, did a lot of research and even then I was not able to be absolutely certain of my questions.

I did some testing and I was not able to override the disable_functions with ruid2 + DSO. That's nice! But even so I'm not 100% sure that anyone will not be able to do this.

But that's okay, let's just say that someone can overcome disable_functions:
In this case my client would be able to run binaries using functions like shell_exec, exec. However, as I use Ruid2+DSO on my server,
I assume that my client's binary will run with its own user inside the jailshell protection, right?

Another question: is it safe to allow shell_exec, exec functions with jailshell enabled and Ruid2+DSO?
Or should it at least be considered safe?

Let me know if I'm too paranoid. :s

 

[cPanelMichael]

Hello,

This post offers some information you may find helpful:

CloudLinux vs BetterLinux vs Jailshell?

Thank you.

 

[Rodrigo Gomes]

Hello @cPanelMichael,

This information actually helped me.
I think of using Cloudlinux in the near future.

Thank you!