是否可以在操作系统级别限制 php 可以通过 exec 传递的命令? [英] Is it possible to restrict what commands php can pass through exec at an OS level?
问题描述
我目前在 CentOS 机器上托管 Drupal 6 站点.Drupal (CMS) 配置包含几十个第三方模块,不应该是 forked 作为一般的最佳编码实践.但是,其中一些模块按顺序使用 php exec 命令正常运行.
I am currently hosting a Drupal 6 site on a CentOS machine. The Drupal (CMS) configuration contains a few dozen third-party modules that should not be forked as a general best coding practice. However, some of these modules make use of the php exec command in order to function properly.
该站点允许管理员通过 UI 配置在任何页面中嵌入 php 代码片段,前提是他们有权访问 php 代码输入格式.我需要让管理员可以使用这种输入格式,因为有几个节点(页面)和面板窗格使用小的、无害的 php 代码片段,例如将特定表单嵌入到内容区域中.
The site allows for admins to embed php code snippets in any page via a UI configuration, granted that they have access to the php code input format. I need to keep this input format available to admins because there are several nodes (pages) and panel panes that make use of small, harmless php code snippets, like embedding a specific form into the content region, for example.
问题是,如果有人要入侵管理员帐户,那么他们可以在站点上运行任意 php 代码,从而通过 php 的 exec、passthru等.有没有什么办法,从操作系统层面,限制php可以执行的shell命令通过机器?这可以通过从 php 限制某些程序的文件权限来完成吗?
The issue is that if someone were to compromise an admin account, then they could run arbitrary php code on the site, and thus run shell commands via php's exec, passthru, etc. Is there any way, from an operating system level, to restrict what shell commands php can pass through to the machine? Could this be done via restricting file permissions to some programs from php?
注意:我不能使用 php.ini disable_functions 指令,因为在很多情况下我仍然需要 exec 才能正常运行,其中模块使用某些 shell 命令,例如视频编码.
Note: I cannot use the php.ini disable_functions directive as I still need exec to function normally for many cases, where modules make use of certain shell commands, like video encoding, for example.
推荐答案
回答您的问题:理论上,如果您使用 PHP 可以运行命令的极其受限的帐户创建用户帐户,您可以将安装调整为更安全.然而,真正的问题是管理员用户能够执行任意命令.如果发生这种情况,您将面临更大的问题.
To answer your question: in theory, if you created a user account using an extremely restricted account that PHP could run commands as, you could tune your installation to be more secure. However, the real problem is that administrator users are able to execute arbitrary commands. If that happens, you will have a significantly larger problem on your hands.
这里真正的解决方案是:
The real solution here is:
- 在 Drupal 中提交和运行任意代码的能力是一个重大风险,您可以通过不这样做来缓解.我强烈建议重新设计那些无害"的代码,因为它们会导致妥协;任意代码执行只是一种利用方式,还有很多其他需要担心的.
- 需要运行 shell 命令的模块也是严重的安全漏洞.在某些情况下,我已经能够对执行命令的模块进行 fork/patch 或替换,但在某些情况下(例如视频编码),这是无法避免的.在这种情况下,我会设置一个非常受限的后端服务,前端可以与之通信.这将您的关注点分开,让 Drupal 去做它原本打算做的事情:管理和提供内容.
- The ability to submit and run arbitrary code from within Drupal is a significant risk that you can mitigate by not doing it. I strongly recommend re-designing those "harmless" bits of code, as they will lead to a compromise; arbitrary code execution is only one kind of exploit and there are many others to worry about.
- The modules that require running shell commands are also significant security vulnerabilities. In some cases, I've been able to fork/patch or replace modules executing commands with ones that don't, but in some cases (e.g. video encoding) it cannot be avoided. In that situation, I would set up a very restricted backend service that the frontend can communicate with. This separates your concerns and leaves Drupal to do what it was intended to: manage and serve content.
这篇关于是否可以在操作系统级别限制 php 可以通过 exec 传递的命令?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
