Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Allow ini_set with Ruid2 + DSO + suEXEC?

Discussion in 'EasyApache' started by Rodrigo Gomes, Mar 1, 2017.

  1. Rodrigo Gomes

    Rodrigo Gomes Well-Known Member

    Joined:
    Apr 6, 2016
    Messages:
    88
    Likes Received:
    21
    Trophy Points:
    8
    Location:
    Brazil
    cPanel Access Level:
    Root Administrator
    Hello!

    I know this is a very recurring topic on the forum, but I researched a lot before posting.

    Currently I see this alert in CSF:
    ini_set-csf.png

    My clients needs to use ini_set. But it's a shared environment and I can not leave any loophole that will overcome the security.

    Of all the research in the forum, I did not find anything that answered my question. Or I did not fully understand.

    It's safe to allow ini_set with Ruid2 + DSO + suEXEC?
    If not, what worries should I have?

    I disabled the following functions in my php.ini:
    Code:
    disable_functions = show_source, system, shell_exec, passthru, exec, popen, proc_open, symlink
    And I do not want anyone to be able to turn those functions on again.
    Bearing in mind that someone can compromise the entire system if they have access to these functions.
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,658
    Likes Received:
    1,427
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    This is discussed on the following thread:

    disable ini_set, what are the risks?

    You may also find this post helpful:

    EA4 and securing PHP processes

    Also, ensure you make modifications to the global php.ini files via:

    "WHM Home » Software » MultiPHP INI Editor"

    This will ensure the settings are saved to the correct locations.

    Thank you.
     
  3. Rodrigo Gomes

    Rodrigo Gomes Well-Known Member

    Joined:
    Apr 6, 2016
    Messages:
    88
    Likes Received:
    21
    Trophy Points:
    8
    Location:
    Brazil
    cPanel Access Level:
    Root Administrator
    Hello @cPanelMichael,

    Sorry for the ignorance on this subject, it's because it makes me very confused.

    I read what you sent me, and I had even read it before creating this post and even then I still have questions.

    Using ruid2 + DSO I protect the PHP processes, which runs as the user. That way, is it safe to keep ini_set enabled?
    If I set disable_functions in "MultiPHP INI Editor" is it impossible for someone to override/disable this rule?

    Thank you!
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,658
    Likes Received:
    1,427
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    The use of DSO/Ruid2 isn't necessarily a protection against ini_set values configured by a user. Most of the discussion on this topic centers around performance issues (e.g. a script enables the use of more resources through a PHP setting). I recommend reviewing the following PHP document to get a better idea of what the ini_set function can do:

    PHP: ini_set - Manual

    Then, you can review the following documents to see which values are adjustable with ini_set:

    PHP: List of php.ini directives - Manual
    PHP: Where a configuration setting may be set - Manual

    This is ultimately a system administration choice that's up to you. You may want to consult with a qualified system administrator or security expert to determine what would work best for your particular server.

    Thank you.
     
    Rodrigo Gomes likes this.
  5. Rodrigo Gomes

    Rodrigo Gomes Well-Known Member

    Joined:
    Apr 6, 2016
    Messages:
    88
    Likes Received:
    21
    Trophy Points:
    8
    Location:
    Brazil
    cPanel Access Level:
    Root Administrator
    Hello Michael,

    You helped me a lot, as always.

    Even security experts need to learn somewhere, right?
    I read a lot, did a lot of research and even then I was not able to be absolutely certain of my questions.

    I did some testing and I was not able to override the disable_functions with ruid2 + DSO. That's nice! But even so I'm not 100% sure that anyone will not be able to do this.

    But that's okay, let's just say that someone can overcome disable_functions:
    In this case my client would be able to run binaries using functions like shell_exec, exec. However, as I use Ruid2+DSO on my server,
    I assume that my client's binary will run with its own user inside the jailshell protection, right?

    Another question: is it safe to allow shell_exec, exec functions with jailshell enabled and Ruid2+DSO?
    Or should it at least be considered safe?

    Let me know if I'm too paranoid. :s
     
  6. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,658
    Likes Received:
    1,427
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Rodrigo Gomes likes this.
  7. Rodrigo Gomes

    Rodrigo Gomes Well-Known Member

    Joined:
    Apr 6, 2016
    Messages:
    88
    Likes Received:
    21
    Trophy Points:
    8
    Location:
    Brazil
    cPanel Access Level:
    Root Administrator
    Hello @cPanelMichael,

    This information actually helped me.
    I think of using Cloudlinux in the near future.

    Thank you!
     
    cPanelMichael likes this.
Loading...

Share This Page