Hi,
Through this existing PR https://github.com/php/php-src/pull/14772, I
wanted to know how would appeal to you adding some access restriction upon
this existing call, using the open basedir check. So if the sysadmin wants
the php user having no business calling /bin commands for examples would
do that, bringing a bit more of the former suhosin "spirit" here.
Regards.
Through this existing PR, I wanted to know how would appeal to you adding some access restriction upon this existing call, using the open basedir check. So if the sysadmin wants the php user having no business calling
/bincommands for examples would do that, bringing a bit more of the former suhosin "spirit" here.
open_basedir is usually used in conjunction with the disable_functions directive to disable all functions which execute external commands, including pcntl_exec(). It's largely ineffective if the user can execute external commands, as those commands are not themselves restricted by open_basedir. (For instance, if PHP is allowed to execute /bin/cat, that can be used to read any file; if it can execute /bin/sh, that can execute any other command.) Additionally, if there are PHP installations which set open_basedir but do allow pcntl_exec(), this change would introduce a major incompatibility by disallowing all commands.
If your goal is to restrict what external commands can be executed by a PHP script, any solution would need to be applied to all functions which can execute shell commands - exec(), shell_exec(), system(), passthru(), proc_open(), shell_exec(), popen(), not just pcntl_exec(). Keep in mind that some of these functions take a string as input which is parsed by the shell; implementing path-based restrictions may be very difficult to do in a general fashion.
Through this existing PR, I wanted to know how would appeal to you
adding some access restriction upon this existing call, using the open
basedir check. So if the sysadmin wants the php user having no business
calling/bincommands for examples would do that, bringing a bit more of
the former suhosin "spirit" here.open_basedir is usually used in conjunction with the disable_functions
directive to disable all functions which execute external commands,
includingpcntl_exec(). It's largely ineffective if the user can execute
external commands, as those commands are not themselves restricted by
open_basedir. (For instance, if PHP is allowed to execute /bin/cat, that
can be used to read any file; if it can execute /bin/sh, that can execute
any other command.) Additionally, if there are PHP installations which
set open_basedir but do allowpcntl_exec(), this change would introduce a
major incompatibility by disallowing all commands.If your goal is to restrict what external commands can be executed by a
PHP script, any solution would need to be applied to all functions which
can execute shell commands -exec(),shell_exec(),system(),passthru(),
proc_open(),shell_exec(),popen(), not justpcntl_exec(). Keep in mind
that some of these functions take a string as input which is parsed by the
shell; implementing path-based restrictions may be very difficult to do in
a general fashion.
Completely agree with this. Using open_basedir would be just a hard to
catch BC break without any extra protection. So -1 on this proposal.
Cheers
Jakub