Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Is there a safe way of allowing users to add their own PHP to my server?

Tags:

php

I'm developing a platform that allows users to create apps using PHP. Is there any safe way of allowing users to do this? Can you restrict use of functions that could damage existing source code or the server in anyway? I only want them able to use basic functions, and give them access to 1 database. This must be possible, because of the existence of shared servers, ran by many users. ...

Any advice?

like image 621
Joshua Davis Avatar asked Feb 11 '12 16:02

Joshua Davis

3 Answers

You can list all disabled functions in your php.ini. You can set it differently for every vhost

disable_functions = "exec,passthru"

Shared hostings are just doing the same as I stated above.

Other functions that can be considered to diable: readfile,fopen,fsockopen,popen,file_get_contents, include,stream_context_create,chmod,chown

Complete list can be found here

But if you are using these functions inside your code also, It's better to made all code files readonly to apache user or for all, in this case chown and chmod disabling play great role.

like image 149
Martin. Avatar answered Oct 25 '22 22:10

Martin.

Never did this before, but i think this approach can help you with a sane and secure environment.

If you are on ubuntu (debian based) i recommend you create a jailed chroot. From the link

A chroot is basically a special directory on your computer which prevents applications, if run from inside that directory, from accessing files outside the directory. In many ways, a chroot is like installing another operating system inside your existing operating system.

You must also install a dedicated instance of PHP that must be used by applications runned from inside of chroot'd directories.

You can configure your php.ini with "max_execution_time", "disable_functions", ... etc

this is exactly what you need actually.

like image 43
Abhinav Singh Avatar answered Oct 25 '22 23:10

Abhinav Singh

I used to run a shared server using PHP safe mode, but apparently it's deprecated now.

A better solution is to run each user's PHP processes under a different user account, in a chroot jail, and let the OS worry about security. Users will be able to upload and run arbitrary code, but as long as it's properly sandboxed, they won't be able to do much harm.

You can also use disk quota. Use ulimits for per-user memory usage, and consider disallowing network connections (incoming and outgoing).

For the database, just set them up with a single database, with access to only their own, and don't give them privileges to create more.

like image 33
Thomas Avatar answered Oct 25 '22 23:10

Thomas
Sign in to Comment

Related questions

array with one value converted to string? [duplicate]
Setting default timezone does not work despite timezone being valid
How to persist one object with many related objects
DateTime as optional parameter (default to "now", not null)?
Deleting child collection from parent
Should one use `if ($a != NULL)` or `if ($a !== NULL)` to control program flow?
Configuring File Names for PHPUnit
why is PHP not throwing a parse error?
Combining bit flags in a class constant PHP [duplicate]
How to quote column names with Zend_Db?
Which third party shopping-cart can easily be integrated with MODX Revolution?
localhost http 500 internal server error
Get ID of record when mysql returns duplicate error
php: forward ntlm credentials to curl
Cookie token authentication login method
Reference to file regardless of the folder structure and depth
store the data of the csv file into a 2d array
Get time zone offset between two timezones for a given duration
Get only relevant portion of website
In PHP, how do you get the called aliased class when using class_alias?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!