Welcome to Centmin Mod Community
Register Now

PHP-FPM php hacking shell jailed?

Discussion in 'Nginx, PHP-FPM & MariaDB MySQL' started by pamamolf, Jun 19, 2014.

  1. pamamolf

    pamamolf Premium Member Premium Member

    4,068
    427
    83
    May 31, 2014
    Ratings:
    +832
    Local Time:
    4:00 PM
    Nginx-1.25.x
    MariaDB 10.3.x
    Hi

    Is it possible if a user hack the software on the server and upload a hack php shell to not possible to view other files and folders before public folder?

    I know that it may bypass it but it will be great at least to not be able to do it so easy.

    Thanks

     
  2. eva2000

    eva2000 Administrator Staff Member

    53,178
    12,112
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,647
    Local Time:
    11:00 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Yes that is a possibility due to PHP-FPM and Nginx both running in nginx user and groups right now.

    Jailed chroot user I have planned should in theory limit this as each Nginx vhost and associated jailed chrooted user account will run on it's own user and group and be locked to within it's own account directory which would be in either /home/chroot_sftp/home/username or /home/chroot_shell/home/username structure.

    Then each Nginx vhost user will also have their own PHP-FPM pools and config files i.e. /usr/local/nginx/conf/phpfpmd/phpfpm_user1.conf each running on their own user and group unique from other jailed chrooted users.

    See preview at https://community.centminmod.com/threads/jailed-chrooted-sftp-ssh-user-nginx-vhost-menu.8/

    However, if your web app/php software get's compromised, and hacker uploads a PHP shell, they'd still have access within your jailed environment within either /home/chroot_sftp/home/username or /home/chroot_shell/home/username

    You could then start disabling PHP functions if your php web app doesn't require them.

    For example, within /usr/local/lib/php.ini for security reasons you may want to disable some PHP functions:

    Code:
    disable_functions = exec,passthru,shell_exec,system,proc_open,popen
    
    Then restart php-fpm service

    When Jailed chrooted user features come into play in future, you could also set disable_functions on a per Nginx vhost per PHP-FPM pool basis in the PHP-FPM pool's config file /usr/local/nginx/conf/phpfpmd/phpfpm_user1.conf with:

    Code:
    php_admin_value[disable_functions] = exec,passthru,shell_exec,system,proc_open,popen
    Then restart php-fpm service

    Then if a php file uses one of the disabled functions, you will find something like this in your PHP-FPM error logs

    Code:
    tail -50 /var/log/php-fpm/www-php.error.log
    
    [18-Jun-2014 22:25:19 UTC] PHP Warning:  shell_exec() has been disabled for security reasons in /path/to/php/file/using/the/disabled/function.php on line 3
    IMPORTANT

    The key is ultimately prevention, so keeping PHP web apps up to date would be best thing, especially for forum, CMS and blogging software like Wordpress, Joomla, Drupal etc.
     
  3. rdan

    rdan Well-Known Member

    5,439
    1,397
    113
    May 25, 2014
    Ratings:
    +2,186
    Local Time:
    9:00 PM
    Mainline
    10.2
    Use XenForo, and you will not be worried about security
    :p for vb and ipb :D
     
  4. pamamolf

    pamamolf Premium Member Premium Member

    4,068
    427
    83
    May 31, 2014
    Ratings:
    +832
    Local Time:
    4:00 PM
    Nginx-1.25.x
    MariaDB 10.3.x
    Why is more secure?
     
  5. rdan

    rdan Well-Known Member

    5,439
    1,397
    113
    May 25, 2014
    Ratings:
    +2,186
    Local Time:
    9:00 PM
    Mainline
    10.2
    Ask Kier and Mike (the XenForo Devs) :)
    BTW, Sorry I can't answer your question as to why :D
    Probably they are the most experienced developer out there.
     
  6. eva2000

    eva2000 Administrator Staff Member

    53,178
    12,112
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,647
    Local Time:
    11:00 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Don't forget with any php software there's 2 factors, the core code + an extensions, addons and plugins. Core code is by the core developers and extensions and addons done by 3rd parties. With php security flaws can either be found in core code or in extensions or addons. For example Wordpress core or Wordpress plugins.
     
  7. eva2000

    eva2000 Administrator Staff Member

    53,178
    12,112
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,647
    Local Time:
    11:00 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Playing around with a script, checkphp.sh to regularly check PHP error log for PHP warnings for disabled_functions which are being used by PHP scripts if you have set disabled_functions list in php.ini. Added both email and pushover.net notifications to the script thanks to @Matt heads up on pushover.net API usage https://community.centminmod.com/threads/pushover.142/ :)

    checkphp.sh checks the php error logs filtered by current day, so you don't end up with duplicate notifications from previous days. Still a work in progress :)

    Code:
    /root/tools/checkphp.sh 
    
    PHP Warning: exec usage detected
    PHP Warning: passthru usage detected
    PHP Warning: popen usage detected
    PHP Warning: proc_open usage detected
    PHP Warning: shell_exec usage detected
    PHP Warning: system usage detected
    
    check completed in .316732820 seconds
    pushover_phpdisabled_functions_notify.png