The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Is it possible to whitelist command/programs to be used by shell_exec?

Discussion in 'Security' started by VMunich, Jul 3, 2017.

  1. VMunich

    VMunich Member

    Joined:
    May 27, 2015
    Messages:
    6
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    Boston
    cPanel Access Level:
    DataCenter Provider
    Hi, I'd like to enable the 'shell_exec' function for PHP sites running on my server, however, I only want it to be used for zipping folders and files.

    I'm afraid removing shell_exec from disable_functions would open up too many potential risks, so I'd like to let users use shell_exec but only for zipping/compressing folders as using the binary is considerably faster than using something like php's ZipArchive.

    My server has CloudLinux installed, if it helps.

    If that's not possible, how are hosts enabling the use of the shell_exec function without compromising their servers' security?

    Thanks
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    37,171
    Likes Received:
    1,295
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    I believe shell_exec is safe when using CageFS, according to this thread on the CloudLinux forums:

    shell_exec + cloudlinux + cagefs

    Thank you.
     
  3. VMunich

    VMunich Member

    Joined:
    May 27, 2015
    Messages:
    6
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    Boston
    cPanel Access Level:
    DataCenter Provider
    Thanks. So that would protect the server in general by preventing users from leaving their jail, but would that prevent someone to use, say `wget` from shell_exec to download potential harmful files?
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    37,171
    Likes Received:
    1,295
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Could you provide an example of a harmful file or a specific action such a file would take?

    Thank you.
     
  5. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    982
    Likes Received:
    75
    Trophy Points:
    78
    cPanel Access Level:
    DataCenter Provider
    - So that would protect the server in general by preventing users from leaving their jail

    yes.

    - would that prevent someone to use, say `wget` from shell_exec to download potential harmful files

    no, probably not.
     
Loading...

Share This Page