The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Shell commands in PHP - no security?

Discussion in 'Security' started by Sindre, Sep 24, 2008.

  1. Sindre

    Sindre Well-Known Member

    Joined:
    Aug 25, 2008
    Messages:
    46
    Likes Received:
    0
    Trophy Points:
    6
    I just noticed that any user can execute for instance shell_exec("cat /etc/passwd") from a PHP script and read all the user accounts on the server, e.g. other usernames in a shared hosting environment.

    Apache runs as 'nobody' and 'nobody' has shell set to /bin/false, but still it gets much more privileges than the actual cPanel user who only has jailshell enabled (or no shell access at all).

    It is also possible to easily browse the document root of other cPanel users on the server using the same method. E.g. MySQL passwords in script config's etc.

    How can one avoid this without disabling all the system(), exec(), shell_exec()... functions in PHP.INI? Is it just me that thinks this is a huge security hole, or am I missing something?
     
  2. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,384
    Likes Received:
    23
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    This is just PHP. Its not really a cPanel problem. I would hesitate to call it a problem at all. Is it an insecurity in a shared hosting environment? Sure. But you can't expect the PHP developers to lock out PHP for every type of situation. PHP is just a language that was developed with a lot of functions for a lot of uses. If PHP is running on a dedicated server (only one account) then it really doesn't matter if the system() functions are allowed to browse through other areas of the server.

    This is why in a shared hosting environment it is up to the server's administrator to further lock down PHP and the insecurities that are available in a shared hosting environment. This is why you see a lot of hosts running suPHP, a lot of hosts disable these system() functions, some do a combination of both. It just depends on that individual host's particular taste in terms of security.

    I would recommend disabling the system() and other system()-like function in PHP and using suPHP. This gives you the ability to use a customized php.ini file for each VirtualHost where you can re-enable these functions as needed. 90 percent of hosting accounts will have no use for the system() functions, so it is probably safer to disable them by default and only re-enable them for accounts as needed.
     
  3. dansgalaxy

    dansgalaxy Well-Known Member

    Joined:
    Jan 29, 2007
    Messages:
    92
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Reading, UK
    cPanel Access Level:
    Root Administrator
    Okay i have got my self a VPS, i have kind of the reverse problem.

    for me exec() and shell_exec() are disabled, i need them enabled to run a script i have, i do have client accounts on the server (shared host) and i would like to just enable these functuons for one (my) account.

    How could i do this?
    Dan
     
  4. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    The best fix for both these problems is to run suphp, that's what it's for. It neatly prevents users from viewing each other's PHP file contents (vital!) and allows shell functions to be run.

    If you want to run shell functions, try enabling them in either a php.ini file or a .htaccess file (if apache runs as nobody). if that fails, you're depending on your webhost/sysadmin to enable the functionality.
     
  5. dansgalaxy

    dansgalaxy Well-Known Member

    Joined:
    Jan 29, 2007
    Messages:
    92
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Reading, UK
    cPanel Access Level:
    Root Administrator
    Hi,

    How exactly would i set this up on a cPanel VPS?

    Thanks,
    Dan
     
  6. cPanelDavidG

    cPanelDavidG Technical Product Specialist

    Joined:
    Nov 29, 2006
    Messages:
    11,279
    Likes Received:
    8
    Trophy Points:
    38
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    Exactly the same way as on a dedicated server: WHM -> Software -> Apache Update. Once you get to step 5, check the box for Mod SuPHP. After that's done, set PHP to use SuPHP.
     
  7. dansgalaxy

    dansgalaxy Well-Known Member

    Joined:
    Jan 29, 2007
    Messages:
    92
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Reading, UK
    cPanel Access Level:
    Root Administrator
    I was thinking more of how would i go about using virtual hosts etc to manage it on an account by account basis of which can and cant use certain functions...

    Thanks,
    Dan
     
Loading...

Share This Page