• Plesk Uservoice will be deprecated by October. Moving forward, all product feature requests and improvement suggestions will be managed through our new platform Plesk Productboard.
    To continue sharing your ideas and feedback, please visit features.plesk.com

Disable shell command from PHP for all domains?

J

j Zim

Guest
It seems that a customer was able to upload a php file into the /tmp directory and then call a sh command (php <name of its file.php>) to execute the script.

At the moment I have no idea from what domain this is done but as a quick fix I would like to disable the possibility to execute sh/shell command for all my customers using PHP script.

Is that possible changing the php5.ini file (disable_functions) or doing it this way I'll have some trouble with Plesk or other admin script (like phpmyadmin, etc.)?

Thanks in advance for your help.
JZ
 
No that should be fine - plesk uses its own php.ini file for its own web processes, so it should be safe to turn it off.

This is what I use in my disable functions

disable_functions = dl , exec , passthru , pcntl_exec , popen , posix_kill , posix_mkfifo , posix_setuid , proc_close , proc_open , proc_terminate , shell_exec , system , ftp_exec , leak , posix_setpgid , posix_setsid , proc_get_status , proc_nice , show_source , escapeshellcmd

Also its a good idea to set these
expose_php = off
enable_dl = Off
allow_url_include = off
 
Hi Amin, thanks for your reply, I've added this config but I got a call from a customer using webmail (horde) and he was not able to send email anymore (error with sendmail which is using popen). So I remove popen from the "disable_functions" config, do you think it's ok this way?
Cheers,
JZ
 
Should be ok yeah - I dont use webmail on the same server as plesk runs as so I have mine disabled - you may also want to think about using safe_mode (if your using an older than 5.3 version of php) and open base dir restrictions as well if your not already.
 
You must log in or register to reply here.

Similar threads

T
Question Plesk 18.0.70 Bypass the default PHP performance settings
Replies
4
Views
914
Sebahat.hadzhi
Sebahat.hadzhi
O
Question Cron job to rename image files - syntax question
Replies
4
Views
9K
onki
O
QWeb Ric
Resolved Removing PHP from chroot template
Replies
5
Views
2K
QWeb Ric
QWeb Ric
matrix
Issue Sendmail missing from chroot (Postfix)
Replies
15
Views
3K
matrix
matrix
C
Issue Failed to update the IP address" when repairing PHP-FPM configuration for all domains
Replies
3
Views
11K
whyisthissuchaBS
W
Back
Top