Allow ini_set with Ruid2 + DSO + suEXEC?
Hello!
I know this is a very recurring topic on the forum, but I researched a lot before posting.
Currently I see this alert in CSF:
45483
My clients needs to use ini_set. But it's a shared environment and I can not leave any loophole that will overcome the security.
Of all the research in the forum, I did not find anything that answered my question. Or I did not fully understand.
It's safe to allow ini_set with Ruid2 + DSO + suEXEC?
If not, what worries should I have?
I disabled the following functions in my php.ini:
And I do not want anyone to be able to turn those functions on again. Bearing in mind that someone can compromise the entire system if they have access to these functions.
disable_functions = show_source, system, shell_exec, passthru, exec, popen, proc_open, symlinkAnd I do not want anyone to be able to turn those functions on again. Bearing in mind that someone can compromise the entire system if they have access to these functions.
-
Hello, This is discussed on the following thread: disable ini_set, what are the risks? You may also find this post helpful: EA4 and securing PHP processes Also, ensure you make modifications to the global php.ini files via: "WHM Home " Software " MultiPHP INI Editor" This will ensure the settings are saved to the correct locations. Thank you. 0 -
Hello @cPanelMichael, Sorry for the ignorance on this subject, it's because it makes me very confused. I read what you sent me, and I had even read it before creating this post and even then I still have questions. Using ruid2 + DSO I protect the PHP processes, which runs as the user. That way, is it safe to keep ini_set enabled? If I set disable_functions in "MultiPHP INI Editor" is it impossible for someone to override/disable this rule? Thank you! 0 -
Hello, The use of DSO/Ruid2 isn't necessarily a protection against ini_set values configured by a user. Most of the discussion on this topic centers around performance issues (e.g. a script enables the use of more resources through a PHP setting). I recommend reviewing the following PHP document to get a better idea of what the ini_set function can do: PHP: ini_set - Manual Then, you can review the following documents to see which values are adjustable with ini_set: PHP: List of php.ini directives - Manual PHP: Where a configuration setting may be set - Manual This is ultimately a system administration choice that's up to you. You may want to consult with a qualified system administrator or security expert to determine what would work best for your particular server. Thank you. 0 -
Hello Michael, You helped me a lot, as always. Even security experts need to learn somewhere, right? I read a lot, did a lot of research and even then I was not able to be absolutely certain of my questions. I did some testing and I was not able to override the disable_functions with ruid2 + DSO. That's nice! But even so I'm not 100% sure that anyone will not be able to do this. But that's okay, let's just say that someone can overcome disable_functions: In this case my client would be able to run binaries using functions like shell_exec, exec. However, as I use Ruid2+DSO on my server, I assume that my client's binary will run with its own user inside the jailshell protection, right? Another question: is it safe to allow shell_exec, exec functions with jailshell enabled and Ruid2+DSO? Or should it at least be considered safe? Let me know if I'm too paranoid. :s 0 -
Hello, This post offers some information you may find helpful: CloudLinux vs BetterLinux vs Jailshell? Thank you. 0 -
Hello @cPanelMichael, This information actually helped me. I think of using Cloudlinux in the near future. Thank you! 0
Please sign in to leave a comment.
Comments
6 comments