is secure use "open_basedir" in PHP8 ?, or how to enable shell_exec() ONLY over ONE directory?

000

• June 30, 2021 10:12

hello, when I disable fpm-fcgi from WHM then PHP run as cgi-fcgi, but then the user can execute many commands dangerous... therefore, is possible copy my software target: /usr/local/bin/binary_sw_nsa to /unique_directory_where_php_can_run_shell_exec and then config open_basedir with: "/unique_directory_where_php_can_run_shell_exec" with this really the users running PHP as cgi-fcgi are limiteds to run ONLY binaries over that directory?

• 

  cPRex Jurassic Moderator

  • June 30, 2021 18:17

  Hey hey! Every user can read /usr/local/bin by default on a system. If I "su" to a user and check the PATH I can see that listed: [root@host servername]# su username [username@host ~]$ echo $PATH /usr/local/cpanel/3rdparty/lib/path-bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/opt/cpanel/composer/bin:/root/bin:/opt/cpanel/composer/bin
  so that is normal behavior. Here is what I see in /usr/local/bin/ in my personal machine as the user, and root also sees the same things: [username@host ~]$ ll /usr/local/bin/ total 80 lrwxrwxrwx. 1 root root 39 Mar 7 21:00 crontab -> /usr/local/cpanel/bin/jail_safe_crontab -rwxr-xr-x. 1 root root 40811 Jun 9 10:17 ea_convert_php_ini -rwxr-xr-x. 1 root root 3074 Jun 9 10:17 ea_current_to_profile -rwxr-xr-x. 1 root root 3636 Jun 9 10:17 ea_install_profile lrwxrwxrwx. 1 root root 37 Jun 17 02:52 ea-php56 -> /opt/cpanel/ea-php56/root/usr/bin/php lrwxrwxrwx. 1 root root 37 Jun 17 02:52 ea-php70 -> /opt/cpanel/ea-php70/root/usr/bin/php lrwxrwxrwx. 1 root root 37 Jun 17 02:52 ea-php71 -> /opt/cpanel/ea-php71/root/usr/bin/php lrwxrwxrwx. 1 root root 37 Jun 17 02:52 ea-php72 -> /opt/cpanel/ea-php72/root/usr/bin/php lrwxrwxrwx. 1 root root 37 Jun 17 02:52 ea-php73 -> /opt/cpanel/ea-php73/root/usr/bin/php lrwxrwxrwx. 1 root root 37 Jun 17 02:52 ea-php74 -> /opt/cpanel/ea-php74/root/usr/bin/php lrwxrwxrwx. 1 root root 37 Jun 10 02:52 ea-php80 -> /opt/cpanel/ea-php80/root/usr/bin/php -rwxr-xr-x. 1 root root 6888 Jun 9 10:17 ea_sync_user_phpini_settings -r-xr-xr-x. 1 root root 4194 Mar 15 22:54 instmodsh -r-xr-xr-x. 1 root root 7098 Mar 7 21:06 json_xs -rwxr-xr-x. 1 root root 937 Jun 9 10:28 lsphp lrwxrwxrwx. 1 root root 38 Mar 7 21:00 passwd -> /usr/local/cpanel/bin/jail_safe_passwd lrwxrwxrwx. 1 root root 38 Mar 7 20:56 pear -> /opt/cpanel/ea-php73/root/usr/bin/pear -rwxr-xr-x. 1 root root 933 Jun 9 10:28 php lrwxrwxrwx. 1 root root 52 Jun 17 02:52 wp-toolkit -> /usr/local/cpanel/3rdparty/wp-toolkit/bin/wpt-cli.sh
  These are all things the user should have access to. If you have placed additional files in /usr/local/bin you should make sure that is something you want to make available to all users.

  0
• 

  000

  • June 30, 2021 19:05

  ...If you have placed additional files in /usr/local/bin you should make sure that is something you want to make available to all users.

  
  Thanks master. what I need edit to allow the users running PHP as cgi-fcgi only can execute/run the program binary_sw_nsa ? in this moment my users with cgi-fcgi can run perfectlly (from a file PHP) the command:
but just they also can run OTHERS commands can I do a copy of the binary /usr/local/bin/binary_sw_nsa into of /unique_directory_where_php_can_run_shell_exec/usr/local/bin/binary_sw_nsa and then users are will limited to run ONLY programs into dir /unique_directory_where_php_can_run_shell_exec/ ?? or what is the "solution" to limit the list of commands users can run? again: my target is users only can to run the command binary_sw_nsa how I can get that security in a server with cPanel ?

  0
• 

  cPRex Jurassic Moderator

  • June 30, 2021 19:25

  I'm not sure that making this the *only* script the users can access will work well. Users still need access to PHP and other tools in order for things to function. My only recommendation would be to add that script to or edit the existing PATH so they can see that, but that is really up to the bash/shell settings and not related to the cPanel tools.

  0
• 

  000

  • June 30, 2021 21:41

  thanks master @cPRex, ah!, really I am WRONG, the correct code PHP is:
Please note: the real target is run exec() Some idea about how users can run the instruction exec() from code PHP without BASH or limiting the function exec() to programs into X folder? In this moment the code
run 100% perfect, but I want/need LIMIT instructions (or directory) of command exec()

  0
• 

  cPRex Jurassic Moderator

  • July 01, 2021 15:23

  Thanks for the additional details. Unfortunately I'm really not sure, as this is shell security and not really related to any cPanel tools. I'm going to put this over in the development forum to see if other users have ideas on that.

  0
• 

  000

  • July 02, 2021 18:45

  ...I'm going to put this over in the development forum to see if other users have ideas on that.

  
  thanks, the target is run the lineexec($Q, $R, $S);
  with one or both of this options:

  • limiting the commands
  • limiting the FOLDER where exec() can work (/folder_to_commands_PHP_of_users/)

  0

Please sign in to leave a comment.