php-fpm all versions , disable_functions => no value , it normal ?

[mean]

This issue allows the user to use PHP CLI on Cronjob to execute commands such as "exec", "shell_exec" ...
Test on AlmaLinux 8 , Debian 11, CentOS 7 , disable_functions => no value to same.
it normal and secure ?

example user cronjob

*/1 * * * * php -r "file_put_contents('/home/USER/php_log.txt', shell_exec('ls -l /tmp')); " >/dev/null 2>&1

*/1 * * * * php -r "file_put_contents('/home/USER/php_log.txt', shell_exec('cat /etc/passwd')); " >/dev/null 2>&1

da info

version: 1.651
commit sha: bb6026193c5443e819d7b043749bc5cc6e898e99
OS slug: linux_amd64
detected OS slug: rhel8_amd64
package: directadmin_bb6026193c5443e819d7b043749bc5cc6e898e99_linux_amd64.tar.gz
gettext support: yes
gettext path: /usr/local/directadmin/data/lang
eol timestamp: 1880236800
eol time: Aug 1 00:00 2029

cat options.conf

# PHP Settings
php1_release=8.2
php1_mode=php-fpm
php2_release=7.4
php2_mode=php-fpm
php3_release=5.6
php3_mode=php-fpm
php4_release=no
php4_mode=php-fpm
secure_php=yes
php_ini=yes
php_timezone=Asia/Bangkok
php_ini_type=production
x_mail_header=yes

==========================================
/usr/local/php56
==========================================

|- check: /usr/local/php56/bin/php -i
disable_functions => no value => no value

|- check: /usr/local/php56/bin/php -i grep .ini
Loaded Configuration File => /usr/local/php56/lib/php.ini
Additional .ini files parsed => /usr/local/php56/lib/php.conf.d/10-directadmin.ini
user_ini.filename => .user.ini => .user.ini

|- check: /usr/local/php56/lib/php.ini
disable_functions = exec,system,passthru,shell_exec,proc_close,proc_open,dl,popen,show_source,posix_kill,posix_mkfifo,posix_getpwuid,posix_setpgid,posix_setsid,posix_setuid,posix_setgid,posix_seteuid,posix_setegid,posix_uname

|- Test PHP CLI: /usr/local/php56/bin/php -c /usr/local/php56/lib/php.ini -r 'phpinfo();' | grep 'disable_functions'
disable_functions => no value => no value

==========================================
/usr/local/php74
==========================================

|- check: /usr/local/php74/bin/php -i
disable_functions => no value => no value

|- check: /usr/local/php74/bin/php -i grep .ini
Loaded Configuration File => /usr/local/php74/lib/php.ini
Additional .ini files parsed => /usr/local/php74/lib/php.conf.d/10-directadmin.ini
user_ini.filename => .user.ini => .user.ini

|- check: /usr/local/php74/lib/php.ini
disable_functions = exec,system,passthru,shell_exec,proc_close,proc_open,dl,popen,show_source,posix_kill,posix_mkfifo,posix_getpwuid,posix_setpgid,posix_setsid,posix_setuid,posix_setgid,posix_seteuid,posix_setegid,posix_uname

|- Test PHP CLI: /usr/local/php74/bin/php -c /usr/local/php74/lib/php.ini -r 'phpinfo();' | grep 'disable_functions'
disable_functions => no value => no value

==========================================
/usr/local/php82
==========================================

|- check: /usr/local/php82/bin/php -i
disable_functions => no value => no value

|- check: /usr/local/php82/bin/php -i grep .ini
Loaded Configuration File => /usr/local/php82/lib/php.ini
/usr/local/php82/lib/php.conf.d/50-webapps.ini
user_ini.filename => .user.ini => .user.ini

|- check: /usr/local/php82/lib/php.ini
disable_functions = exec,system,passthru,shell_exec,proc_close,proc_open,dl,popen,show_source,posix_kill,posix_mkfifo,posix_getpwuid,posix_setpgid,posix_setsid,posix_setuid,posix_setgid,posix_seteuid,posix_setegid,posix_uname

|- Test PHP CLI: /usr/local/php82/bin/php -c /usr/local/php82/lib/php.ini -r 'phpinfo();' | grep 'disable_functions'
disable_functions => no value => no value

/usr/local/php82/bin/php -i | grep configure

Configure Command => './configure' '--enable-embed' '--prefix=/usr/local/php82' '--program-suffix=82' '--enable-fpm' '--with-fpm-systemd' '--enable-litespeed' '--with-config-file-scan-dir=/usr/local/php82/lib/php.conf.d' '--with-curl' '--enable-gd' '--with-gettext' '--with-jpeg' '--with-freetype' '--with-kerberos' '--with-openssl' '--with-mhash' '--with-mysql-sock=/var/lib/mysql/mysql.sock' '--with-mysqli=mysqlnd' '--with-pdo-mysql=mysqlnd' '--with-pear' '--with-sodium=/usr/local' '--with-webp' '--with-xsl' '--with-zlib' '--with-zip' '--enable-bcmath' '--enable-calendar' '--enable-exif' '--enable-ftp' '--enable-sockets' '--enable-soap' '--enable-mbstring' '--enable-intl' 'PKG_CONFIG_PATH=/usr/local/icu/lib/pkgconfig:/usr/local/lib64/pkgconfig:/usr/local/lib/pkgconfig:/usr/lib/x86_64-linux-gnu/pkgconfig'

/usr/local/php74/bin/php74 -i | grep configure

Configure Command => './configure' '--enable-embed' '--prefix=/usr/local/php74' '--program-suffix=74' '--enable-fpm' '--with-fpm-systemd' '--enable-litespeed' '--with-config-file-scan-dir=/usr/local/php74/lib/php.conf.d' '--with-curl' '--enable-gd' '--with-gettext' '--with-jpeg' '--with-freetype' '--with-kerberos' '--with-openssl' '--with-mhash' '--with-mysql-sock=/var/lib/mysql/mysql.sock' '--with-mysqli=mysqlnd' '--with-pdo-mysql=mysqlnd' '--with-pear' '--with-sodium=/usr/local' '--with-webp' '--with-xsl' '--with-zlib' '--with-zip' '--with-iconv-dir=/usr' '--enable-bcmath' '--enable-calendar' '--enable-exif' '--enable-ftp' '--enable-sockets' '--enable-soap' '--enable-mbstring' '--enable-intl' 'PKG_CONFIG_PATH=/usr/local/icu/lib/pkgconfig:/usr/local/lib64/pkgconfig:/usr/local/lib/pkgconfig:/usr/lib/x86_64-linux-gnu/pkgconfig'

/usr/local/php56/bin/php56 -i | grep configure

Configure Command => './configure' '--enable-embed' '--prefix=/usr/local/php56' '--program-suffix=56' '--enable-fpm' '--with-fpm-systemd' '--with-litespeed' '--with-config-file-scan-dir=/usr/local/php56/lib/php.conf.d' '--with-curl' '--with-gd' '--enable-gd-native-ttf' '--with-gettext' '--with-jpeg-dir=/usr/lib64' '--with-freetype-dir=/usr/lib64' '--with-libxml-dir=/usr/local/lib' '--with-kerberos' '--with-openssl' '--with-mcrypt' '--with-mhash' '--with-mysql=mysqlnd' '--with-mysql-sock=/var/lib/mysql/mysql.sock' '--with-mysqli=mysqlnd' '--with-pcre-regex=/usr' '--with-pdo-mysql=mysqlnd' '--with-pear' '--with-png-dir=/usr/lib64' '--with-xsl' '--with-zlib' '--enable-zip' '--with-iconv-dir=/usr' '--enable-bcmath' '--enable-calendar' '--enable-exif' '--enable-ftp' '--enable-sockets' '--enable-soap' '--enable-mbstring' '--with-icu-dir=/usr' '--enable-intl' 'CXXFLAGS=-std=c++11 '-DU_USING_ICU_NAMESPACE=1''

There is no configuration set for disable_functions in

/usr/local/php56/lib/php.conf.d/10-directadmin.ini
/usr/local/php82/lib/php.conf.d/50-webapps.ini

No custom php configuration
in /usr/local/directadmin/custombuild/custom/php/

I noticed that if running with php-cgi, disable_functions is in effect.
/usr/local/php56/bin/php-cgi -i | grep disable_functions

<tr><td class="e">disable_functions</td><td class="v">exec,system,passthru,shell_exec,proc_close,proc_open,dl,popen,show_source,posix_kill,posix_mkfifo,posix_getpwuid,posix_setpgid,posix_setsid,posix_setuid,posix_setgid,posix_seteuid,posix_setegid,posix_uname</td><td class="v">exec,system,passthru,shell_exec,proc_close,proc_open,dl,popen,show_source,posix_kill,posix_mkfifo,posix_getpwuid,posix_setpgid,posix_setsid,posix_setuid,posix_setgid,posix_seteuid,posix_setegid,posix_uname</td></tr>

==========================================
Test Custom php.ini
==========================================
/root/php.ini

disable_functions=exec,system,passthru,shell_exec,proc_close,proc_open,dl,popen,show_source,posix_kill,posix_mkfifo,posix_getpwuid,posix_setpgid,posix_setsid,posix_setuid,posix_setgid,posix_seteuid,posix_setegid,posix_uname

/usr/local/php82/bin/php -c /root/php.ini -i | grep disable_f

disable_functions => no value => no value

==========================================
cat /usr/local/directadmin/custombuild/configure/php/configure.php82
==========================================

#!/bin/sh
./configure --enable-embed \
        --prefix=/usr/local/php82 \
        --program-suffix=82 \
        --enable-fpm \
        --with-fpm-systemd \
        --enable-litespeed \
        --with-config-file-scan-dir=/usr/local/php82/lib/php.conf.d \
        --with-curl \
        --enable-gd \
        --with-gettext \
        --with-jpeg \
        --with-freetype \
        --with-kerberos \
        --with-openssl \
        --with-mhash \
        --with-mysql-sock=/var/lib/mysql/mysql.sock \
        --with-mysqli=mysqlnd \
        --with-pdo-mysql=mysqlnd \
        --with-pear \
        --with-sodium=/usr/local \
        --with-webp \
        --with-xsl \
        --with-zlib \
        --with-zip \
        --enable-bcmath \
        --enable-calendar \
        --enable-exif \
        --enable-ftp \
        --enable-sockets \
        --enable-soap \
        --enable-mbstring \
        --enable-intl

---------------------------------------------------
disable_functions work only with http://
---------------------------------------------------

Bash Code for test

for php_dir in /usr/local/php*; do
    echo "==========================================";
    echo $php_dir;
    echo "==========================================";
    echo "|- check: $php_dir/bin/php -i"
    $php_dir/bin/php -i | grep 'disable_functions';
    echo ""
    echo "|- check: $php_dir/bin/php -i grep .ini"
    $php_dir/bin/php -i | grep '\.ini$';
    echo ""
    echo "|- check: $php_dir/lib/php.ini ";
    cat $php_dir/lib/php.ini | grep 'disable_functions ='
    echo ""
    echo "|- Test PHP CLI: $php_dir/bin/php -c  $php_dir/lib/php.ini -r 'phpinfo();' | grep 'disable_functions' ";
    $php_dir/bin/php -c $php_dir/lib/php.ini -r 'phpinfo();' | grep 'disable_functions'
    echo ""
    echo ""
done

 

[Ohm J]

yes, it normal ( Only for cli ) on directadmin panel. ( Some where in patch note )

if you want some disable function, you need to provide it in command line

php -d disable_functions="exe,shell_exec" test.php

 

[mean]

Hi @jamgames2

It normally ?

I see the previously installed version is still functional.
DA has been patched and updated since which version?

[root@ns130 ~]# da info

version: 1.645
commit sha: c52eab63c147d7c6ca97405d0b87272465465d20
OS slug: linux_amd64
detected OS slug: rhel7_amd64
package: directadmin_c52eab63c147d7c6ca97405d0b87272465465d20_linux_amd64.tar.gz
gettext support: yes
gettext path: /usr/local/directadmin/data/lang
eol timestamp: 1725148800
eol time: Sep 1 00:00 2024

[root@ns130 ~]# /usr/local/php56/bin/php -i | grep disable

Virtual Directory Support => disabled
Thread Safety => disabled
Zend Signal Handling => disabled
DTrace Support => disabled
disable_classes => no value => no value
disable_functions => exec,system,passthru,shell_exec,proc_close,proc_open,dl,popen,show_source,posix_kill,posix_mkfifo,posix_getpwuid,posix_setpgid,posix_setsid,posix_setuid,posix_setgid,posix_seteuid,posix_setegid,posix_uname
HTTP input encoding translation => disabled
bzip2 compression => disabled (install pecl/bz2)

/usr/local/php56/bin/php -i | grep configure

Configure Command => './configure' '--prefix=/usr/local/php56' '--program-suffix=56' '--enable-fpm' '--with-fpm-systemd' '--with-config-file-scan-dir=/usr/local/php56/lib/php.conf.d' '--with-curl' '--with-gd' '--enable-gd-native-ttf' '--with-gettext' '--with-jpeg-dir=/usr/local/lib' '--with-freetype-dir=/usr/local/lib' '--with-libxml-dir=/usr/local/lib' '--with-kerberos' '--with-openssl' '--with-mcrypt' '--with-mhash' '--with-mysql=mysqlnd' '--with-mysql-sock=/var/lib/mysql/mysql.sock' '--with-mysqli=mysqlnd' '--with-pcre-regex=/usr/local' '--with-pdo-mysql=mysqlnd' '--with-pear' '--with-png-dir=/usr/local/lib' '--with-xsl' '--with-zlib' '--enable-zip' '--with-iconv=/usr/local' '--enable-bcmath' '--enable-calendar' '--enable-exif' '--enable-ftp' '--enable-sockets' '--enable-soap' '--enable-mbstring' '--with-icu-dir=/usr/local/icu' '--enable-intl' 'CXXFLAGS=-std=c++11 '-DU_USING_ICU_NAMESPACE=1''

 

[Ohm J]

I can't remember. but it in patch note in some version that not too old around 1.62*v - 1.64*v

 

[Richard G]

Hmmz... I'm not too happy about that either. If I disable php functions then it shouldn't matter if they are called by http or by cli.

 

[mean]

mod_php, suphp and mod_ruid2 will beginning deprecated on v1.647

Version 1.647 | Directadmin Docs

DirectAdmin Knowledge Base

docs.directadmin.com

I understand before patch it's difficult customized "disable_functions" for user settings.
example, If there is a declaration in php.ini , "proc_open" cannot be overwritten by php-fpm.conf and .user.ini

I think configuring "disable_functions=" base on php.ini and customize on
/usr/local/directadmin/data/users/{USER}/php/php-fpmX.conf for each user is also a good choice.

Current we are giving users access to the PHP CLI vie the Terminal ( DA PRO Feature ) and SSH Support but "disable_functions" is a good standard security feature.

Otherwise, users will be able to use dangerous commands in the CLI without being restricted, can access and manipulate files and directories indiscriminately, causing severe impact and system crash, example, writing a command to create a huge number of files,

How can I customize this to use the disable_function with php.ini as before?

Or the current patch, it is already secure, What do you think?

Finally, I'm okay. If you need to allow all functions on PHP CLI.

 

[Ohm J]

hmmm
Patch or not, it doesn't take care your security that you want.

I just do something like this.

php -n test.php

this meant, I can run any function without care your disable_functions.


If I remember thing, They talking about it difficult to develop other app like plugins, or other app that use "PHP" cli binary.

@fln
But it good time to remove this patch right ? Because you pack your APP into directadmin binary already. Or there have other issued to still keep this patch like this? it useless to us. It just make us confused.

 

[Richard G]

I don't care. If the disabled_functions is filled in c.q. configured to protect in the global php.ini file, it should protect the whole server including commandline imho.