Menu
I am currently hosting a Drupal 6 site on a CentOS machine. The Drupal (CMS) configuration contains a few dozen third-party modules that should not be forked as a general best coding practice. However, some of these modules make use of the php exec command in order to function properly.
The site allows for admins to embed php code snippets in any page via a UI configuration, granted that they have access to the php code input format. I need to keep this input format available to admins because there are several nodes (pages) and panel panes that make use of small, harmless php code snippets, like embedding a specific form into the content region, for example.
The issue is that if someone were to compromise an admin account, then they could run arbitrary php code on the site, and thus run shell commands via php's exec, passthru, etc. Is there any way, from an operating system level, to restrict what shell commands php can pass through to the machine? Could this be done via restricting file permissions to some programs from php?
Note: I cannot use the php.ini disable_functions directive as I still need exec to function normally for many cases, where modules make use of certain shell commands, like video encoding, for example.
340
The exec() function is an inbuilt function in PHP which is used to execute an external program and returns the last line of the output. It also returns NULL if no command run properly.
php phpinfo(); ?> You can search for disable_functions and if exec is listed it means it is disabled. To enable it just remove the exec from the line and then you need to restart Apache and you will be good to go. If exec is not listed in the disable_functions line it means that it is enabled.
You can execute linux commands within a php script - all you have to do is put the command line in brackits (`). And also concentrate on exec() , this and shell_exec() ..
Another approach:
We believe that we need to create a test user that only has access to the system to perform a telnet to another machine on the network. Since we only need to run a telnet need to restrict the other commands available in a standard bash session. Let's go step by step configuring everything.
1) We create user test
This will be a regular user of the system, so should we as a normal user. The only peculiarity is that we change the shell of that user. The default is usually / bin / bash and we will set / bin / rbash. rbash is actually a copy of bash, but it really is a "restricted bash".
shell> adduser --shell /bin/test rbash
2) We create the file. Bash_profile
We must create this file in the user's home that was created and for which we want to apply the permissions. The contents of the file will be as follows,
if [-f ~/.bashrc]; then
. ~/.bashrc
fi
PATH = $HOME/apps
export PATH
3)We avoid changes
Once you have created the file, we stop nobody can make changes to the file.
shell> chattr +i /home/test/.bash_profile
4) We create the apps directory and install the programs 'access'
Now once you have everything set up and only have to create the apps and inside it, create a link to the programs you want the user to have permissions. All programs that are within apps, the user can run the but, no.
shell> mkdir apps
shell> ln-s /usr/bin/telnet /home/test/apps/
5) We found that works
Now you can access the system and verified that it works correctly.
shell> ssh test@remote
test@remote password:
shell@remote> ls
-rbash: ls: command not found
shell@remote> cd
-rbash: cd: command not found
shell@remote> telnet
telnet>
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
