PHP-FPM php hacking shell jailed?

Yes that is a possibility due to PHP-FPM and Nginx both running in nginx user and groups right now.

Jailed chroot user I have planned should in theory limit this as each Nginx vhost and associated jailed chrooted user account will run on it's own user and group and be locked to within it's own account directory which would be in either /home/chroot_sftp/home/username or /home/chroot_shell/home/username structure.

Then each Nginx vhost user will also have their own PHP-FPM pools and config files i.e. /usr/local/nginx/conf/phpfpmd/phpfpm_user1.conf each running on their own user and group unique from other jailed chrooted users.

See preview at https://community.centminmod.com/threads/jailed-chrooted-sftp-ssh-user-nginx-vhost-menu.8/

However, if your web app/php software get's compromised, and hacker uploads a PHP shell, they'd still have access within your jailed environment within either /home/chroot_sftp/home/username or /home/chroot_shell/home/username

You could then start disabling PHP functions if your php web app doesn't require them.

For example, within /usr/local/lib/php.ini for security reasons you may want to disable some PHP functions:

Code:

disable_functions = exec,passthru,shell_exec,system,proc_open,popen

Then restart php-fpm service

When Jailed chrooted user features come into play in future, you could also set disable_functions on a per Nginx vhost per PHP-FPM pool basis in the PHP-FPM pool's config file /usr/local/nginx/conf/phpfpmd/phpfpm_user1.conf with:

Code:

php_admin_value[disable_functions] = exec,passthru,shell_exec,system,proc_open,popen

Then restart php-fpm service

Then if a php file uses one of the disabled functions, you will find something like this in your PHP-FPM error logs

Code:

tail -50 /var/log/php-fpm/www-php.error.log

[18-Jun-2014 22:25:19 UTC] PHP Warning:  shell_exec() has been disabled for security reasons in /path/to/php/file/using/the/disabled/function.php on line 3

IMPORTANT

The key is ultimately prevention, so keeping PHP web apps up to date would be best thing, especially for forum, CMS and blogging software like Wordpress, Joomla, Drupal etc.

 

Don't forget with any php software there's 2 factors, the core code + an extensions, addons and plugins. Core code is by the core developers and extensions and addons done by 3rd parties. With php security flaws can either be found in core code or in extensions or addons. For example Wordpress core or Wordpress plugins.

 

Playing around with a script, checkphp.sh to regularly check PHP error log for PHP warnings for disabled_functions which are being used by PHP scripts if you have set disabled_functions list in php.ini. Added both email and pushover.net notifications to the script thanks to @Matt heads up on pushover.net API usage https://community.centminmod.com/threads/pushover.142/

checkphp.sh checks the php error logs filtered by current day, so you don't end up with duplicate notifications from previous days. Still a work in progress

Code:

/root/tools/checkphp.sh 

PHP Warning: exec usage detected
PHP Warning: passthru usage detected
PHP Warning: popen usage detected
PHP Warning: proc_open usage detected
PHP Warning: shell_exec usage detected
PHP Warning: system usage detected

check completed in .316732820 seconds