The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

URGENT: How do you prevent users from executing system calls with php/perl scripts ?

Discussion in 'General Discussion' started by guschi2k, Feb 14, 2004.

  1. guschi2k

    guschi2k Member

    Joined:
    Sep 11, 2003
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    1
    Hi everyone

    The topic pretty much says everything. Is there a way to prevent users(customers) from executing system calls with php or cgi scripts ? is it even possible ?

    a friend of mine wrote a little c program which simply uses all available ram and uploaded it via ftp (just as a client could do). and startet it via php. i had to request a manual reboot of my box, since i wasn't able to stop the script. absolutely nothing worked anymore. (i wasn't even able to login as root via ssh, because there wasn't enough memory available for this process)

    so...is there a solution for this ? i don't want anyone to be able to execute shell commands, if shell access is disabled for his/her account.

    thanks for any help :)

    guschi
     
  2. nickn

    nickn Well-Known Member
    PartnerNOC

    Joined:
    Jun 15, 2003
    Messages:
    619
    Likes Received:
    1
    Trophy Points:
    18
    You can put "exec" and any other functions you would like to disable in this line :

    Code:
    ; This directive allows you to disable certain functions for security reasons.
    ; It receives a comma-delimited list of function names. This directive is
    ; *NOT* affected by whether Safe Mode is turned On or Off.
    disable_functions =
    
     
  3. guschi2k

    guschi2k Member

    Joined:
    Sep 11, 2003
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    1
    :) great ! thank you so much. now i can sleep peaceful :)
     
  4. nickn

    nickn Well-Known Member
    PartnerNOC

    Joined:
    Jun 15, 2003
    Messages:
    619
    Likes Received:
    1
    Trophy Points:
    18
    I failed to mention, this belongs in your php.ini, although you might have figured that out :)
     
  5. guschi2k

    guschi2k Member

    Joined:
    Sep 11, 2003
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    1
    yep :) figured it out myslef ... but what i couldn't figure out....which php.ini is the "used" one ?

    /usr/lib/php.ini
    /usr/local/lib/php.ini
    /usr/local/cpanel/3rdparty/etc/php.ini
    /usr/local/cpanel/3rdparty/lib/php.ini


    i would guess it's /usr/lib/php.ini ...right ?
     
  6. nickn

    nickn Well-Known Member
    PartnerNOC

    Joined:
    Jun 15, 2003
    Messages:
    619
    Likes Received:
    1
    Trophy Points:
    18
    The best way to find out is to do a php info page.

    Code:
    <?php info()>
    
    It'll tell you which one is used.. :)
     
  7. guschi2k

    guschi2k Member

    Joined:
    Sep 11, 2003
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    1
    *lol stupid me....should have figured that out myself

    thanks again :)
     
  8. GetWired

    GetWired Active Member

    Joined:
    Aug 4, 2003
    Messages:
    39
    Likes Received:
    0
    Trophy Points:
    6
    That or use this app:

    http://www.rfxnetworks.com/prm.php

    Shut down any program/script that takes up more then an allowed percentage of cpu or memory.

    That lets me sleep even better.
     
  9. casey

    casey Well-Known Member

    Joined:
    Jan 17, 2003
    Messages:
    2,303
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    If there is trouble, it will find me
    Very cool. Are the default values okay for shared servers?
    In particular, I notice that fantastico updates use quite a bit of resources for about 2 minutes. I don't want fantastico getting broken...
     
    #9 casey, Feb 15, 2004
    Last edited: Feb 15, 2004
  10. rsaylor

    rsaylor Well-Known Member

    Joined:
    Mar 27, 2003
    Messages:
    160
    Likes Received:
    1
    Trophy Points:
    18
    I heard that the user can upload a php.ini to there home directory and php will use that. Not sure if it is true or not but I think I read that in a phpsuexec post somewhere.
     
  11. casey

    casey Well-Known Member

    Joined:
    Jan 17, 2003
    Messages:
    2,303
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    If there is trouble, it will find me
    It is true if you are using phpsuexec. If you are using the apache module, then they cannot do that, although they can change a few settings with a .htaccess file in that case.
     
  12. GetWired

    GetWired Active Member

    Joined:
    Aug 4, 2003
    Messages:
    39
    Likes Received:
    0
    Trophy Points:
    6
    You can add fantastico or any other program on the safelist if you're worried about it being killed.

    I never had a problem with it, so i'd say just leave it as it is unless you get problems. Default values are fine.
     
Loading...

Share This Page