Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:124299 X-Original-To: internals@lists.php.net Delivered-To: internals@lists.php.net Received: from php-smtp4.php.net (php-smtp4.php.net [45.112.84.5]) by qa.php.net (Postfix) with ESMTPS id 2F53F1A009C for ; Mon, 8 Jul 2024 22:39:06 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail; t=1720478430; bh=35nz1mUI3fmxJuoedgQrwNSuK5c2gSokXY6GApiMrz4=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=nKsx1+L6tizS+TnbqXJFH5gb3jcuOVsrCpMyfXvaqNR9NVnmZBgce75UmH5o2eoaP KZ0MBmjc3ImL7u7MPZ/Y4TWQXLJwhomA5zj3kaQgbSbLA18FSkMePfh9uoZBUMjxGo 5LdoYzseyXOeirFNVDoTXU2G/az13akoIIuAaKeCTdHcM72pOoU4e3RbIGhQ1coyBZ Sg0SkbSlUV9xG4EB6cemskUJ5UWDn8OusKyRa54rpm6TTpikMBR2pKXuveJISF39Ez AsJlQFkVRE+Qm/QgX+AS13wACfuDZrpBdGI4gx/OX5Ia07Hd1j2xLYHFooxqMWxecp Dp+0j4pM12GAg== Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 4B9B31801EF for ; Mon, 8 Jul 2024 22:40:30 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on php-smtp4.php.net X-Spam-Level: * X-Spam-Status: No, score=1.9 required=5.0 tests=BAYES_50,DMARC_NONE, FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM,HEADER_FROM_DIFFERENT_DOMAINS, HTML_MESSAGE,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=4.0.0 X-Spam-Virus: Error (Cannot connect to unix socket '/var/run/clamav/clamd.ctl': connect: Connection refused) X-Envelope-From: Received: from mail-oa1-f54.google.com (mail-oa1-f54.google.com [209.85.160.54]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Mon, 8 Jul 2024 22:40:29 +0000 (UTC) Received: by mail-oa1-f54.google.com with SMTP id 586e51a60fabf-25e134abf00so2303621fac.1 for ; Mon, 08 Jul 2024 15:39:04 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1720478344; x=1721083144; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=35nz1mUI3fmxJuoedgQrwNSuK5c2gSokXY6GApiMrz4=; b=rcNyVP29H2J9zI9yiXbKy1aAucTkrPm5uZLSsPOjZ+KIrcSW4jxLv/kKH9kfWmUwGt rDnvXe/InAnVqYMMbVWtZmHXsyKYA/hsKz6Rdblx8xOMkNpBKRRatRIXCtmcZNZZ7R+I Xv6PUKm9OrhCt/DnAbwpFORpt41fhbljiurScfOpas4SO2CRbdvESmhlBc7qtxzencO7 n0QM1/d4cvO3ydGw/td8MnQk8CrtttJPgyOI+S+R2KOFz00qXSYau44MzBft5SAe9r6S NkFJP7DlrWRJCIp1M95nmd2DDGS01J183YZ87USgsD/IQftQdx/TFmsTFCqMfsq45NRi 806Q== X-Forwarded-Encrypted: i=1; AJvYcCVBwxQexTUC+7tkmibI8qmBgzON3v/NwhYcsDuGTMt3fAmYLqXTuZk0ghrifj6niviXDGOzSEiOVkCjS8mLuPmyWNM7dhjnZQ== X-Gm-Message-State: AOJu0Yzvg/xcQFwbHzEPAl/L9A3Yib2k0DU4imh30r3b2FufOE3RrLdx GPiS9XsJ2Le+j4DfMG8MWgI6rO23krXXVdmb4jJaL0/gi/HhenmtGFzhZPD629SCct5b8/jJegj 6S+jmVSyprx1+pAN9WdNZvVJyhws= X-Google-Smtp-Source: AGHT+IGuKnPXTy+O8R58J5ih2mT2TccJ0NTTSwaawWQw2CvJYMBhM24AAR6aOaESy6jijjYM4OcXU9f//tzDfCHrYCM= X-Received: by 2002:a05:6870:71c4:b0:25e:b4a:6255 with SMTP id 586e51a60fabf-25eae756284mr674269fac.3.1720478343948; Mon, 08 Jul 2024 15:39:03 -0700 (PDT) Precedence: bulk list-help: list-post: List-Id: internals.lists.php.net MIME-Version: 1.0 References: In-Reply-To: Date: Mon, 8 Jul 2024 23:38:52 +0100 Message-ID: Subject: Re: [PHP-DEV] pcntl_exec update proposal To: Dusk Cc: David CARLIER , PHP internals Content-Type: multipart/alternative; boundary="00000000000088f437061cc414c2" From: bukka@php.net (Jakub Zelenka) --00000000000088f437061cc414c2 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Mon, Jul 8, 2024 at 11:14=E2=80=AFPM Dusk wrote: > On Jul 8, 2024, at 14:12, David CARLIER wrote: > > Through this existing PR, I wanted to know how would appeal to you > adding some access restriction upon this existing call, using the open > basedir check. So if the sysadmin wants the php user having no business > calling `/bin` commands for examples would do that, bringing a bit more o= f > the former suhosin "spirit" here. > > open_basedir is usually used in conjunction with the disable_functions > directive to disable all functions which execute external commands, > including pcntl_exec(). It's largely ineffective if the user can execute > external commands, as those commands are not themselves restricted by > open_basedir. (For instance, if PHP is allowed to execute /bin/cat, that > can be used to read any file; if it can execute /bin/sh, that can execute > any other command.) Additionally, if there *are* PHP installations which > set open_basedir but do allow pcntl_exec(), this change would introduce a > major incompatibility by disallowing all commands. > > If your goal is to restrict what external commands can be executed by a > PHP script, any solution would need to be applied to all functions which > can execute shell commands - exec(), shell_exec(), system(), passthru(), > proc_open(), shell_exec(), popen(), not just pcntl_exec(). Keep in mind > that some of these functions take a string as input which is parsed by th= e > shell; implementing path-based restrictions may be very difficult to do i= n > a general fashion. Completely agree with this. Using open_basedir would be just a hard to catch BC break without any extra protection. So -1 on this proposal. Cheers Jakub --00000000000088f437061cc414c2 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
On Mon, Jul 8, 2024 at 11:14=E2=80=AFPM D= usk <dusk@woofle.net> wrote:
On Jul 8, 2024, at 14:12, David CARLIER <devnexen@gmail.com> wrote:
> Through this existing PR, I wanted to know how would appeal to you add= ing some access restriction upon this existing call, using the open basedir= check. So if the sysadmin wants the php user having no business calling `/= bin` commands for examples would do that, bringing a bit more of the former= suhosin "spirit" here.

open_basedir is usually used in conjunction with the disable_functions dire= ctive to disable all functions which execute external commands, including p= cntl_exec(). It's largely ineffective if the user can execute external = commands, as those commands are not themselves restricted by open_basedir. = (For instance, if PHP is allowed to execute /bin/cat, that can be used to r= ead any file; if it can execute /bin/sh, that can execute any other command= .) Additionally, if there *are* PHP installations which set open_basedir bu= t do allow pcntl_exec(), this change would introduce a major incompatibilit= y by disallowing all commands.

If your goal is to restrict what external commands can be executed by a PHP= script, any solution would need to be applied to all functions which can e= xecute shell commands - exec(), shell_exec(), system(), passthru(), proc_op= en(), shell_exec(), popen(), not just pcntl_exec(). Keep in mind that some = of these functions take a string as input which is parsed by the shell; imp= lementing path-based restrictions may be very difficult to do in a general = fashion.

=C2=A0Completely agree with this. = Using open_basedir would be just a hard to catch BC break without any extra= protection. So -1 on this proposal.

Cheers
<= div>
Jakub
--00000000000088f437061cc414c2--