Shell exec security

Hi,
I noticed that under a website (let's call it website1.com), I can do the following :

• shell_exec('ls /var/www')
• shell_exec('cat /var/www/website2.com/logs/error.log')

Is this intended ? How can I prevent that ?
Thanks

 

It is up to you how you can configure your PHP. If you want to disable shell_exec function, just change your php.ini and add

Code:

disable_functions = shell_exec

or any other functions you want to disable. You can also configure disable_functions per vhost in ispconfig, in site edit -> Options tab and Custom php.ini settings

 

Ok for this type of configuration, but in common CMS (Joomla, Prestashop), this function (or others like "exec") are required.
I think it is a good thing that it is available, but I would to prevent abuse.
open_basedir is only applicable for php includes and executions, is there a solution for shell commands (as global configuration if possible)?

 

As I wrote to you before, you can limit allowed php functions per vhost, if you are not satisfied with global disable. There is no easy way how to prevent php exec functions to access out of their directories or execute dangerous system commands. The one possible way is to use PHP-FPM with "Chroot PHP" options (when you enable PHP-FPM for website, on the Options tab will be available Chroot option). In this kind of configuration, will be available only what is inside the website chroot.

 

I will take a look at PHP-FPM with "Chroot PHP"
Thank you

 

PHP-FPM and Chroot PHP have led me to other problems, so I will not go down this path there. I think this can be a good solution on a new server, but there I already have thirty sites running, I am afraid of having compatibility problems.

For security, I added the following line in my crontab:
30 * * * * chmod o-rw /var/www/clients/*/web*/* -R

This seems to me a good compromise to ensure that the content of the sites is not readable by other clients via a shell exec command.
What do you think ?