Author Topic: Make php safe again  (Read 4183 times)

0 Members and 1 Guest are viewing this topic.

Offline
*
Make php safe again
« on: February 11, 2020, 09:00:44 AM »
For those who are intrested (and maybe a good thing to build into CWP).
I've hardened php so:
- open_basedir is the users home-dir
- all executables are disabled by default
- users can NOT overwrite this options with their own php user.ini-files.

This is how it works:
*1 create a file /home/zz_make with this code:
<?php
$excluded = array ( "tmpback",
   "lost+found"
  );
$filename = "/home/zz_ini";

if ($DIR = opendir("/home/")){
 while (($dirfile = readdir($DIR)) !== false){
  if (preg_match('/\./',$dirfile))
   continue;
  if (in_array(trim($dirfile),$excluded))
   continue;
  if (is_dir("/home/$dirfile/")){
   $out .= "[PATH=/home/".$dirfile."/]\n";
   $out .= "open_basedir = \"/home/".$dirfile."/:/tmp:/var/tmp:/usr/local/lib/php\"\n";
   $out .= "disable_functions = exec, passthru, shell_exec, system, popen, pcntl_exec, proc_open, proc_nice, proc_terminate, proc_get_status, proc_close, leak, apache_child_terminate, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, escapeshellcmd, escapeshellarg\n\n";
  }
 }
}

$handle = fopen($filename, 'w');
if (!$handle) {
 echo "Cannot open file ($filename)"; exit;
}else{
 if (fwrite($handle, $out) === FALSE) {
  echo "Cannot write to file ($filename)";
         exit;
 }
}
fclose($handle);


*2 run: php /home/zz_make and check for errors and look if /home/zz_ini is created

*3 make softlinks in your php-dir's
ln -s /home/zz_ini /opt/alt/php72/usr/php/php.d/zz.ini
ln -s /home/zz_ini /opt/alt/php73/usr/php/php.d/zz.ini
ln -s /home/zz_ini /opt/alt/php-fpm72/usr/php/php.d/zz.ini
ln -s /home/zz_ini /opt/alt/php-fpm73/usr/php/php.d/zz.ini
(depends on what versions of php you are running)

*4 make a cron-file /etc/cron.daily/make_php-ini with this into it
#!/bin/bash
/usr/local/bin/php /home/zz_make
/bin/systemctl reload php-fpm72.service
/bin/systemctl reload php-fpm73.service

(you only have to reload php-fpm, normal fpm doesn't need to be reloaded)

*5 chmod 755 /etc/cron.daily/make_php-ini

And your done!
Check phpfinfo() in some websites to see if it works.

Offline
****
Re: Make php safe again
« Reply #1 on: February 11, 2020, 09:34:57 AM »
Nice idea, other than users can simply edit zz_ini and turn it all back on.  You could also edit your php.ini file and turn it off for all users.  I don't believe that php.ini is overwritten when cwp updates.
Google Hangouts:  rcschaff82@gmail.com