is secure use "open_basedir" in PHP8 ?, or how to enable shell_exec() ONLY over ONE directory?

000

Well-Known Member
Jun 3, 2008
434
19
68
hello,
when I disable fpm-fcgi from WHM then PHP run as cgi-fcgi,
but then the user can execute many commands dangerous...


therefore, is possible copy my software target:
/usr/local/bin/binary_sw_nsa

to

/unique_directory_where_php_can_run_shell_exec

and then config open_basedir with: "/unique_directory_where_php_can_run_shell_exec"

with this really the users running PHP as cgi-fcgi are limiteds to run ONLY binaries over that directory?
 
Last edited by a moderator:

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
7,418
1,001
313
cPanel Access Level
Root Administrator
Hey hey! Every user can read /usr/local/bin by default on a system. If I "su" to a user and check the PATH I can see that listed:

Code:
[[email protected] servername]# su username
[[email protected] ~]$ echo $PATH
/usr/local/cpanel/3rdparty/lib/path-bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/opt/cpanel/composer/bin:/root/bin:/opt/cpanel/composer/bin
so that is normal behavior.

Here is what I see in /usr/local/bin/ in my personal machine as the user, and root also sees the same things:

Code:
[[email protected] ~]$ ll /usr/local/bin/
total 80
lrwxrwxrwx. 1 root root    39 Mar  7 21:00 crontab -> /usr/local/cpanel/bin/jail_safe_crontab
-rwxr-xr-x. 1 root root 40811 Jun  9 10:17 ea_convert_php_ini
-rwxr-xr-x. 1 root root  3074 Jun  9 10:17 ea_current_to_profile
-rwxr-xr-x. 1 root root  3636 Jun  9 10:17 ea_install_profile
lrwxrwxrwx. 1 root root    37 Jun 17 02:52 ea-php56 -> /opt/cpanel/ea-php56/root/usr/bin/php
lrwxrwxrwx. 1 root root    37 Jun 17 02:52 ea-php70 -> /opt/cpanel/ea-php70/root/usr/bin/php
lrwxrwxrwx. 1 root root    37 Jun 17 02:52 ea-php71 -> /opt/cpanel/ea-php71/root/usr/bin/php
lrwxrwxrwx. 1 root root    37 Jun 17 02:52 ea-php72 -> /opt/cpanel/ea-php72/root/usr/bin/php
lrwxrwxrwx. 1 root root    37 Jun 17 02:52 ea-php73 -> /opt/cpanel/ea-php73/root/usr/bin/php
lrwxrwxrwx. 1 root root    37 Jun 17 02:52 ea-php74 -> /opt/cpanel/ea-php74/root/usr/bin/php
lrwxrwxrwx. 1 root root    37 Jun 10 02:52 ea-php80 -> /opt/cpanel/ea-php80/root/usr/bin/php
-rwxr-xr-x. 1 root root  6888 Jun  9 10:17 ea_sync_user_phpini_settings
-r-xr-xr-x. 1 root root  4194 Mar 15 22:54 instmodsh
-r-xr-xr-x. 1 root root  7098 Mar  7 21:06 json_xs
-rwxr-xr-x. 1 root root   937 Jun  9 10:28 lsphp
lrwxrwxrwx. 1 root root    38 Mar  7 21:00 passwd -> /usr/local/cpanel/bin/jail_safe_passwd
lrwxrwxrwx. 1 root root    38 Mar  7 20:56 pear -> /opt/cpanel/ea-php73/root/usr/bin/pear
-rwxr-xr-x. 1 root root   933 Jun  9 10:28 php
lrwxrwxrwx. 1 root root    52 Jun 17 02:52 wp-toolkit -> /usr/local/cpanel/3rdparty/wp-toolkit/bin/wpt-cli.sh
These are all things the user should have access to.

If you have placed additional files in /usr/local/bin you should make sure that is something you want to make available to all users.
 

000

Well-Known Member
Jun 3, 2008
434
19
68
...If you have placed additional files in /usr/local/bin you should make sure that is something you want to make available to all users.
Thanks master.

what I need edit to allow the users running PHP as cgi-fcgi only can execute/run the program binary_sw_nsa ?

in this moment my users with cgi-fcgi can run perfectlly (from a file PHP) the command:
Code:
<?php   
    $Q = "binary_sw_nsa -get_db from https://clients.cpanel.net";
    file_put_contents(__DIR__.'database_remote.sql', $Q);
but just they also can run OTHERS commands

can I do a copy of the binary /usr/local/bin/binary_sw_nsa

into of

/unique_directory_where_php_can_run_shell_exec/usr/local/bin/binary_sw_nsa

and then users are will limited to run ONLY programs into dir

/unique_directory_where_php_can_run_shell_exec/

??

or what is the "solution" to limit the list of commands users can run?

again: my target is users only can to run the command binary_sw_nsa how I can get that security in a server with cPanel ?
 
Last edited:

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
7,418
1,001
313
cPanel Access Level
Root Administrator
I'm not sure that making this the *only* script the users can access will work well. Users still need access to PHP and other tools in order for things to function. My only recommendation would be to add that script to or edit the existing PATH so they can see that, but that is really up to the bash/shell settings and not related to the cPanel tools.
 

000

Well-Known Member
Jun 3, 2008
434
19
68
thanks master @cPRex, ah!, really I am WRONG, the correct code PHP is:
Code:
<?PHP
    $Q = "binary_sw_nsa -get_db from https://clients.cpanel.net";
    exec($Q, $R, $S);
Please note: the real target is run exec()

Some idea about how users can run the instruction exec() from code PHP without BASH or limiting the function exec() to programs into X folder?

In this moment the code
Code:
<?PHP
    $Q = "binary_sw_nsa -get_db from https://clients.cpanel.net";
    exec($Q, $R, $S);
run 100% perfect, but I want/need LIMIT instructions (or directory) of command exec()
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
7,418
1,001
313
cPanel Access Level
Root Administrator
Thanks for the additional details. Unfortunately I'm really not sure, as this is shell security and not really related to any cPanel tools. I'm going to put this over in the development forum to see if other users have ideas on that.
 

000

Well-Known Member
Jun 3, 2008
434
19
68
...I'm going to put this over in the development forum to see if other users have ideas on that.
thanks, the target is run the line
Code:
exec($Q, $R, $S);
with one or both of this options:
  1. limiting the commands
  2. limiting the FOLDER where exec() can work (/folder_to_commands_PHP_of_users/)