是否可以在操作系统级别限制 php 可以通过 exec 的命令?
我目前在 CentOS 机器上托管一个 Drupal 6 站点.Drupal (CMS) 配置包含几十个不应分叉 作为一般的最佳编码实践.但是,其中一些模块按顺序使用 php exec
命令以正常运行.
I am currently hosting a Drupal 6 site on a CentOS machine. The Drupal (CMS) configuration contains a few dozen third-party modules that should not be forked as a general best coding practice. However, some of these modules make use of the php exec
command in order to function properly.
该站点允许管理员通过 UI 配置在任何页面中嵌入 php 代码片段,前提是他们有权访问 php 代码输入格式.我需要让管理员可以使用这种输入格式,因为有几个节点(页面)和面板窗格使用小的、无害的 php 代码片段,例如将特定表单嵌入到内容区域中.
The site allows for admins to embed php code snippets in any page via a UI configuration, granted that they have access to the php code input format. I need to keep this input format available to admins because there are several nodes (pages) and panel panes that make use of small, harmless php code snippets, like embedding a specific form into the content region, for example.
问题是,如果有人要破坏管理员帐户,那么他们可以在站点上运行任意 php 代码,从而通过 php 的 exec
、passthru
等 有没有什么办法,从操作系统层面,限制什么shell命令php可以通过到机器?这可以通过限制 php 中某些程序的文件权限来实现吗?
The issue is that if someone were to compromise an admin account, then they could run arbitrary php code on the site, and thus run shell commands via php's exec
, passthru
, etc. Is there any way, from an operating system level, to restrict what shell commands php can pass through to the machine? Could this be done via restricting file permissions to some programs from php?
注意:我不能使用 php.ini disable_functions 指令,因为我仍然需要 exec
在许多情况下正常运行,例如模块使用某些 shell 命令,例如视频编码.
Note: I cannot use the php.ini disable_functions directive as I still need exec
to function normally for many cases, where modules make use of certain shell commands, like video encoding, for example.
推荐答案
回答您的问题:理论上,如果您使用 PHP 可以运行命令的极其受限的帐户创建了一个用户帐户,您可以将安装调整为更安全.然而,真正的问题是管理员用户能够执行任意命令.如果发生这种情况,您将面临更大的问题.
To answer your question: in theory, if you created a user account using an extremely restricted account that PHP could run commands as, you could tune your installation to be more secure. However, the real problem is that administrator users are able to execute arbitrary commands. If that happens, you will have a significantly larger problem on your hands.
这里真正的解决方案是:
The real solution here is:
- 在 Drupal 中提交和运行任意代码的能力是一个重大风险,您可以通过不这样做来减轻这种风险.我强烈建议重新设计那些无害"的代码,因为它们会导致妥协;任意代码执行只是一种漏洞利用,还有许多其他漏洞需要担心.
- 需要运行 shell 命令的模块也是重要的安全漏洞.在某些情况下,我已经能够将执行命令的模块分叉/修补或替换为不执行命令的模块,但在某些情况下(例如视频编码),这是不可避免的.在那种情况下,我会设置一个非常受限的后端服务,前端可以与之通信.这将您的顾虑分开,让 Drupal 去做它的目的:管理和提供内容.
- The ability to submit and run arbitrary code from within Drupal is a significant risk that you can mitigate by not doing it. I strongly recommend re-designing those "harmless" bits of code, as they will lead to a compromise; arbitrary code execution is only one kind of exploit and there are many others to worry about.
- The modules that require running shell commands are also significant security vulnerabilities. In some cases, I've been able to fork/patch or replace modules executing commands with ones that don't, but in some cases (e.g. video encoding) it cannot be avoided. In that situation, I would set up a very restricted backend service that the frontend can communicate with. This separates your concerns and leaves Drupal to do what it was intended to: manage and serve content.
相关文章