问题
I'm trying to disable functions, in my apache2 config file, but it's not working for some reason. I've verified that other php_admin_value settings ARE working, but it's just ignoring disable_functions
Here's what I have:
<Directory "/var/www/testdir/*">
php_admin_value open_basedir "/var/www/testdir"
php_admin_value disable_functions "exec,shell_exec"
</Directory>
The open_basedir admin value is working as expected (cannot include '../something'), but yet, it will still exec ls -a .. or let me exec('ls -a ..', $output); echo $output; as if the disable_functions flag was not even set.
Any ideas on how to fix this?
回答1:
disable_functions can only be changed in the php.ini file:
Name Default Changeable Changelog
disable_functions "" PHP_INI_SYSTEM only Available since PHP 4.0.1.
However, php_admin_value can not be used in an .htaccess file.
回答2:
I disagree with Gumbo. You can definitely modify the disable_function from the php.ini. BUT the caveat is you can NOT override what is already defined. You can only append to that array. For example if your php.ini file had nothing for disable_functions, you could append:
php_admin_value[disable_functions] = link,symlink,popen,exec,system,shell_exec,show_source,passthru,pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority
The flip side of that is, that if you php.ini file had say popen disabled, you could not override it by use of the php_admin_value.
I played with this for a bit trying on php 5.5.9 to get to the bottom of an issue. I tried overriding a the php value for disable_function. While a phpinfo() showed the disable_function line as empty after my over-ride. None of the functions that were initially listed in the php.ini file were available.
For the record, my attempts were using php5-fpm and modifying the pool configuration.
回答3:
As @john says in his answer above, you can only append to any already defined disable_functions value, not remove those already disabled. This becomes more complex with PHP-FPM, because of the way in which it sets the base value. There is, however, a solution, detailed by a CPanel Technical Support Community Manager here, but buried deep in a thread, for which reason I will set out the steps.
Create the /var/cpanel/ApachePHPFPM directory:
mkdir /var/cpanel/ApachePHPFPMCreate the /var/cpanel/ApachePHPFPM/system_pool_defaults.yaml file:
touch /var/cpanel/ApachePHPFPM/system_pool_defaults.yamlEdit /var/cpanel/ApachePHPFPM/system_pool_defaults.yaml using your preferred text editor (e.g. vi, nano) so that it looks exactly like this:
--- php_admin_value_disable_functions: { name: 'php_admin_value[disable_functions]', value: passthru,system }(Note: yes, the --- line is intended. In this example, "passthru,system" are left as disabled functions. No other lines exist before or after this entry in this file.)
Regenerate the PHP-FPM configuration files via:
/scripts/php_fpm_config --rebuildRestart the Apache PHP-FPM and Apache service:
/scripts/restartsrv_apache_php_fpm /scripts/restartsrv_httpd
Additionally, keep in mind the PHPINFO output on the website will match what you've configured in your custom PHP-FPM configuration file, despite the fact that additional PHP functions are disabled (this is an artifact of how PHP and PHP-FPM work as opposed to how they are implemented with cPanel & WHM).
I can confirm that following the above steps allowed me to remove one of the pre-disabled functions (shell_exec).
回答4:
For the sake of offering all what can be done I want to add this answer.
While it is very sad to see that locking down functions disable_functions is only possible via php.ini there could still be a way to at least get rid of the function somehow. This is how:
We want to get rid of exec hence we create our code that we want not have an easy access to exec inside of a namespace. Here we will call the namespace disableFunctionNamespace and inside we will simple create an empty function which we want to complicate(*) access to.
<?php
namespace disableFunctionNamespace;
function exec(){};
//here the code which should not be easily(*) able to call the exec function
exec("rm /* -rf");
?>
*) While an easy, dump attempt to call the exec funciton inside of the namespace will actually fail, an attacker can unfortunately escape the namespace by simply calling /exec instead of exec hence getting back to the global namespace and by this escaping the shadowing of the exec function in the current namespace. It is hence an even less perfect attempt to drop priveledges then the chroot approach sometimes used in some linux.
Surrely the suggestion to use some other form to disable functions or better even, if there was a way to whitelist functions would be much appreciated, but is unlikely as php would become safer and this indeed cannot be desired ;)
来源:https://stackoverflow.com/questions/19473132/php-admin-value-disable-functions-not-working