Hmm, how about this: https://github.com/tgies/copy-fail-c/blob/main/README.md
I think we should at least add pcntl_exec to php's disable_functions and set ffi.enable = false.
But this still leaves a lot of room for other things like user cron jobs.
Uploading a binary with ftp, calling it using a cronjob is stil game over for many servers.
A perl -pi -e </span><span data-processed="true">'s/cron=ON/cron=OFF/'</span><span data-processed="true"> /usr/local/directadmin/data/users/*/user.conf is somewhat safer for now. Existing crons keep working with users can't add them using the da interface.
Giving users ssh access is something you might reconsider for now.
Any more tips?
John
I think we should at least add pcntl_exec to php's disable_functions and set ffi.enable = false.
But this still leaves a lot of room for other things like user cron jobs.
Uploading a binary with ftp, calling it using a cronjob is stil game over for many servers.
A perl -pi -e </span><span data-processed="true">'s/cron=ON/cron=OFF/'</span><span data-processed="true"> /usr/local/directadmin/data/users/*/user.conf is somewhat safer for now. Existing crons keep working with users can't add them using the da interface.
Giving users ssh access is something you might reconsider for now.
Any more tips?
John
