I installed the ispconfig according to the instructions: https://www.howtoforge.com/tutorial/perfect-server-debian-8-jessie-apache-bind-dovecot-ispconfig-3/ I think I did something wrong. the pages are run as the web1 ... webXXX user in a normal environment. If we place it in the page code Code: <pre><?php var_dump(exec('cat /var/mail.log', $r)); var_dump($r); exit(); We list beautifully logs. A lot of files in the system have chmod XX4 and every client can read them. Just blocking the exec function in PHP will not do anything. You can still open the file using fopen. It seems to me that php must be run in jailkit. Does anyone know how to fix it?
It is normal that log files on Linux systems have these permissions. Using a chroot for php is not that easy and often causes issues, but you can update ispconfig to the test version from master branch (not the stable-3.1 branch), it has a first draft for a chroot option for PHP-FPM builtin if I remember correctly.
Just as a side note: no, you can't open that file with fopen. That's why one blocks exec, passthru and other direct access commands in hosting enviroments normally if you don't want to allow access to files outside of the website that have global read permissions.
Thx till What you've written changes everything. I thought that using fopen I can open all XX4 files as a webX user. But I can only in /var/www/clients/clientX/web/ I did not know about it. So in PHP I have to block some functions. I found this: exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,show_source,pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,_dyuweyrj4,_dyuweyrj4r,dl Is this a good list? Anything else I need to know?
