For those who are intrested (and maybe a good thing to build into CWP).
I've hardened php so:
- open_basedir is the users home-dir
- all executables are disabled by default
- users can NOT overwrite this options with their own php user.ini-files.
This is how it works:
*1 create a file /home/zz_make with this code:
<?php
$excluded = array ( "tmpback",
"lost+found"
);
$filename = "/home/zz_ini";
if ($DIR = opendir("/home/")){
while (($dirfile = readdir($DIR)) !== false){
if (preg_match('/\./',$dirfile))
continue;
if (in_array(trim($dirfile),$excluded))
continue;
if (is_dir("/home/$dirfile/")){
$out .= "[PATH=/home/".$dirfile."/]\n";
$out .= "open_basedir = \"/home/".$dirfile."/:/tmp:/var/tmp:/usr/local/lib/php\"\n";
$out .= "disable_functions = exec, passthru, shell_exec, system, popen, pcntl_exec, proc_open, proc_nice, proc_terminate, proc_get_status, proc_close, leak, apache_child_terminate, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, escapeshellcmd, escapeshellarg\n\n";
}
}
}
$handle = fopen($filename, 'w');
if (!$handle) {
echo "Cannot open file ($filename)"; exit;
}else{
if (fwrite($handle, $out) === FALSE) {
echo "Cannot write to file ($filename)";
exit;
}
}
fclose($handle);
*2 run: php /home/zz_make and check for errors and look if /home/zz_ini is created
*3 make softlinks in your php-dir's
ln -s /home/zz_ini /opt/alt/php72/usr/php/php.d/zz.ini
ln -s /home/zz_ini /opt/alt/php73/usr/php/php.d/zz.ini
ln -s /home/zz_ini /opt/alt/php-fpm72/usr/php/php.d/zz.ini
ln -s /home/zz_ini /opt/alt/php-fpm73/usr/php/php.d/zz.ini
(depends on what versions of php you are running)
*4 make a cron-file /etc/cron.daily/make_php-ini with this into it
#!/bin/bash
/usr/local/bin/php /home/zz_make
/bin/systemctl reload php-fpm72.service
/bin/systemctl reload php-fpm73.service
(you only have to reload php-fpm, normal fpm doesn't need to be reloaded)
*5 chmod 755 /etc/cron.daily/make_php-ini
And your done!
Check phpfinfo() in some websites to see if it works.
Topic: Make php safe again (Read 3893 times)
