是否可以限制什么命令php可以通过exec在操作系统级别？ [英] Is it possible to restrict what commands php can pass through exec at an OS level?

问题描述

我目前在CentOS机器上托管 Drupal 6网站。 Drupal（ CMS ）配置包含几十个第三方模块，它们不应分叉为一般的最佳编码实践。但是，其中一些模块使用 php exec 命令以正常工作。

网站允许管理员通过UI配置将PHP代码片段嵌入任何页面，并授予他们访问php代码输入格式。我需要保持此输入格式对管理员可用，因为有几个节点（页面）和面板窗格使用小的，无害的PHP代码片段，例如嵌入特定的表单到内容区域，例如。

$问题是，如果有人要破坏管理员帐户，那么他们可以在网站上运行任意php代码，从而通过php的 exec ， passthru 等。有没有办法，从操作系统级别，限制什么shell命令php可以传递到机器？这可以通过限制文件权限从一些程序从php？

注意：我不能使用php.ini disable_functions 指令，因为我仍然需要 exec

解决方案

在许多情况下，模块使用某些shell命令，例如视频编码。回答你的问题：在理论上，如果你创建一个用户帐户使用一个极其受限的帐户，PHP可以运行命令，你可以调整你的安装，以更加安全。然而，真正的问题是管理员用户能够执行任意命令。

这里真正的解决方案是：

• 从Drupal提交和运行任意代码的能力是一个很大的风险，你可以通过不这样做来减轻。我强烈建议重新设计那些无害的代码，因为它们会导致妥协;任何代码执行只是一种漏洞，还有很多其他人需要担心。


• 需要运行shell命令的模块也是重大的安全漏洞。在某些情况下，我已经能够执行命令的模块/补丁或替换模块，但在某些情况下（例如视频编码），它是不能避免的。在这种情况下，我会建立一个非常有限的后端服务，前端可以与之通信。这将分离您的关注，并让Drupal做它打算：管理和服务内容。

I am currently hosting a Drupal 6 site on a CentOS machine. The Drupal (CMS) configuration contains a few dozen third-party modules that should not be forked as a general best coding practice. However, some of these modules make use of the php exec command in order to function properly.

The site allows for admins to embed php code snippets in any page via a UI configuration, granted that they have access to the php code input format. I need to keep this input format available to admins because there are several nodes (pages) and panel panes that make use of small, harmless php code snippets, like embedding a specific form into the content region, for example.

The issue is that if someone were to compromise an admin account, then they could run arbitrary php code on the site, and thus run shell commands via php's exec, passthru, etc. Is there any way, from an operating system level, to restrict what shell commands php can pass through to the machine? Could this be done via restricting file permissions to some programs from php?

Note: I cannot use the php.ini disable_functions directive as I still need exec to function normally for many cases, where modules make use of certain shell commands, like video encoding, for example.

解决方案

To answer your question: in theory, if you created a user account using an extremely restricted account that PHP could run commands as, you could tune your installation to be more secure. However, the real problem is that administrator users are able to execute arbitrary commands. If that happens, you will have a significantly larger problem on your hands.

The real solution here is:

• The ability to submit and run arbitrary code from within Drupal is a significant risk that you can mitigate by not doing it. I strongly recommend re-designing those "harmless" bits of code, as they will lead to a compromise; arbitrary code execution is only one kind of exploit and there are many others to worry about.
• The modules that require running shell commands are also significant security vulnerabilities. In some cases, I've been able to fork/patch or replace modules executing commands with ones that don't, but in some cases (e.g. video encoding) it cannot be avoided. In that situation, I would set up a very restricted backend service that the frontend can communicate with. This separates your concerns and leaves Drupal to do what it was intended to: manage and serve content.

这篇关于是否可以限制什么命令php可以通过exec在操作系统级别？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！