[CentOS] Permissions for LAMP

Sat Jan 25 21:42:28 UTC 2014
Always Learning <centos at u62.u22.net>

On Sat, 2014-01-25 at 21:44 +0100, Reindl Harald wrote:

> Am 25.01.2014 21:40, schrieb Always Learning:
> > 
> > if($ban)
> >    { $ipx = $ip1;
> >      exec("sudo -u root -t pts/1 /sbin/iptables -A 1banned.".$mm." -j
> > DROP -s ".$ipx);
> >    }

> if your webserver is allowed to call exec() at all from php-scripts and
> even "sudo" this is a security hole big like a house and you are a pure
> idiot - there is nothing more to say except some sane phh settings for
> a webserver
> 
> disable_functions = "apache_child_terminate, chown, dl, exec, fileinode, get_current_user, getmypid, getmyuid,
> getrusage, highlight_file, link, mail, openlog, passthru, pclose, pcntl_alarm, pcntl_errno, pcntl_exec, pcntl_fork,
> pcntl_get_last_error, pcntl_getpriority, pcntl_setpriority, pcntl_signal_dispatch, pcntl_signal, pcntl_sigprocmask,
> pcntl_sigtimedwait, pcntl_sigwaitinfo, pcntl_strerror, pcntl_wait, pcntl_waitpid, pcntl_wexitstatus,
> pcntl_wifexited, pcntl_wifsignaled, pcntl_wifstopped, pcntl_wstopsig, pcntl_wtermsig, pfsockopen, popen,
> posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, proc_close, proc_get_status, proc_nice,
> proc_open, proc_terminate, shell_exec, show_source, socket_accept, socket_bind, symlink, syslog, system"

Guten Abend Harald (that's a good old Norwegian name)

1. Both C6 and C5's /etc/php.ini have

disable_functions =

Neither C5 nor C6 /etc/php.ini have your list of dangerous PHP functions.  One wonders why not, if they are so dangerous.

2. In your list you have 'mail' which I consider an essential PHP command in a production environment.

3. I'm willing to add your suggestions to php.ini except for three.

4. I'm puzzled how hackers can break-in to use all those functions in your list. Can you elaborate please?

Mfg / best regards,

Paul.


-- 
Paul.
England,
EU.

   Our systems are exclusively Linux. No Micro$oft Windoze here.