Hi Is it possible if a user hack the software on the server and upload a hack php shell to not possible to view other files and folders before public folder? I know that it may bypass it but it will be great at least to not be able to do it so easy. Thanks
Yes that is a possibility due to PHP-FPM and Nginx both running in nginx user and groups right now. Jailed chroot user I have planned should in theory limit this as each Nginx vhost and associated jailed chrooted user account will run on it's own user and group and be locked to within it's own account directory which would be in either /home/chroot_sftp/home/username or /home/chroot_shell/home/username structure. Then each Nginx vhost user will also have their own PHP-FPM pools and config files i.e. /usr/local/nginx/conf/phpfpmd/phpfpm_user1.conf each running on their own user and group unique from other jailed chrooted users. See preview at https://community.centminmod.com/threads/jailed-chrooted-sftp-ssh-user-nginx-vhost-menu.8/ However, if your web app/php software get's compromised, and hacker uploads a PHP shell, they'd still have access within your jailed environment within either /home/chroot_sftp/home/username or /home/chroot_shell/home/username You could then start disabling PHP functions if your php web app doesn't require them. For example, within /usr/local/lib/php.ini for security reasons you may want to disable some PHP functions: Code: disable_functions = exec,passthru,shell_exec,system,proc_open,popen Then restart php-fpm service When Jailed chrooted user features come into play in future, you could also set disable_functions on a per Nginx vhost per PHP-FPM pool basis in the PHP-FPM pool's config file /usr/local/nginx/conf/phpfpmd/phpfpm_user1.conf with: Code: php_admin_value[disable_functions] = exec,passthru,shell_exec,system,proc_open,popen Then restart php-fpm service Then if a php file uses one of the disabled functions, you will find something like this in your PHP-FPM error logs Code: tail -50 /var/log/php-fpm/www-php.error.log [18-Jun-2014 22:25:19 UTC] PHP Warning: shell_exec() has been disabled for security reasons in /path/to/php/file/using/the/disabled/function.php on line 3 IMPORTANT The key is ultimately prevention, so keeping PHP web apps up to date would be best thing, especially for forum, CMS and blogging software like Wordpress, Joomla, Drupal etc.
Ask Kier and Mike (the XenForo Devs) BTW, Sorry I can't answer your question as to why Probably they are the most experienced developer out there.
Don't forget with any php software there's 2 factors, the core code + an extensions, addons and plugins. Core code is by the core developers and extensions and addons done by 3rd parties. With php security flaws can either be found in core code or in extensions or addons. For example Wordpress core or Wordpress plugins.
Playing around with a script, checkphp.sh to regularly check PHP error log for PHP warnings for disabled_functions which are being used by PHP scripts if you have set disabled_functions list in php.ini. Added both email and pushover.net notifications to the script thanks to @Matt heads up on pushover.net API usage https://community.centminmod.com/threads/pushover.142/ checkphp.sh checks the php error logs filtered by current day, so you don't end up with duplicate notifications from previous days. Still a work in progress Code: /root/tools/checkphp.sh PHP Warning: exec usage detected PHP Warning: passthru usage detected PHP Warning: popen usage detected PHP Warning: proc_open usage detected PHP Warning: shell_exec usage detected PHP Warning: system usage detected check completed in .316732820 seconds