URGENT: How do you prevent users from executing system calls with php/perl scripts ?

guschi2k

Member
Sep 11, 2003
11
0
151
Hi everyone

The topic pretty much says everything. Is there a way to prevent users(customers) from executing system calls with php or cgi scripts ? is it even possible ?

a friend of mine wrote a little c program which simply uses all available ram and uploaded it via ftp (just as a client could do). and startet it via php. i had to request a manual reboot of my box, since i wasn't able to stop the script. absolutely nothing worked anymore. (i wasn't even able to login as root via ssh, because there wasn't enough memory available for this process)

so...is there a solution for this ? i don't want anyone to be able to execute shell commands, if shell access is disabled for his/her account.

thanks for any help :)

guschi
 

nickn

Well-Known Member
PartnerNOC
Jun 15, 2003
616
1
168
You can put "exec" and any other functions you would like to disable in this line :

Code:
; This directive allows you to disable certain functions for security reasons.
; It receives a comma-delimited list of function names. This directive is
; *NOT* affected by whether Safe Mode is turned On or Off.
disable_functions =
 

nickn

Well-Known Member
PartnerNOC
Jun 15, 2003
616
1
168
I failed to mention, this belongs in your php.ini, although you might have figured that out :)
 

guschi2k

Member
Sep 11, 2003
11
0
151
yep :) figured it out myslef ... but what i couldn't figure out....which php.ini is the "used" one ?

/usr/lib/php.ini
/usr/local/lib/php.ini
/usr/local/cpanel/3rdparty/etc/php.ini
/usr/local/cpanel/3rdparty/lib/php.ini


i would guess it's /usr/lib/php.ini ...right ?
 

nickn

Well-Known Member
PartnerNOC
Jun 15, 2003
616
1
168
The best way to find out is to do a php info page.

Code:
<?php info()>
It'll tell you which one is used.. :)
 

casey

Well-Known Member
Jan 17, 2003
2,288
0
191
Originally posted by GetWired
That or use this app:

http://www.rfxnetworks.com/prm.php

Shut down any program/script that takes up more then an allowed percentage of cpu or memory.

That lets me sleep even better.
Very cool. Are the default values okay for shared servers?
In particular, I notice that fantastico updates use quite a bit of resources for about 2 minutes. I don't want fantastico getting broken...
 
Last edited:

rsaylor

Well-Known Member
Mar 27, 2003
160
1
168
I heard that the user can upload a php.ini to there home directory and php will use that. Not sure if it is true or not but I think I read that in a phpsuexec post somewhere.
 

casey

Well-Known Member
Jan 17, 2003
2,288
0
191
Originally posted by rsaylor
I heard that the user can upload a php.ini to there home directory and php will use that. Not sure if it is true or not but I think I read that in a phpsuexec post somewhere.
It is true if you are using phpsuexec. If you are using the apache module, then they cannot do that, although they can change a few settings with a .htaccess file in that case.