: Sudo mandatory for system() or exec() from PHP 5 In our enterprise we have several workers and collaborators. For the external collaborators, we have specific FTP accounts to restricted folders
In our enterprise we have several workers and collaborators. For the external collaborators, we have specific FTP accounts to restricted folders (test folders), and restricted access to MySQL database with priviledges. However, we have discovered that they can upload a PHP file with
system("rm -r *");
and it will perfectly work, for all paths, including at the top level of the FTP directory.
How can we prevent this from happening? Is there any way in some config file that we can have the above command to fail, and the need to use:
system("sudo -uUSER -pPASSWORD rm -r *");
so we will only give those user and password credentials to trusted collaborators, and the others can continue working without us being afraid of any fool play from their part?
More posts by @Eichhorn148
1 Comments
Sorted by latest first Latest Oldest Best
The most secure thing to do in this instance is to prevent these temporary user accounts from having sudo access on the server. If they are able to upload a PHP file to the server and run it through their browser then this is a greater security hole than you may realise. On the first hand the server could be misconfigured to run PHP files as the user who uploaded them in which case that indicates that all these temporary contract users have been given root level sudo access which they shouldn't have. In the other case if the server is running all PHP files under the web server user (similar to www-user) which is the way it should be configured that then indicates that the www-user account has sudo access which is even more dangerous as anyone who connects to the web server can then run a sudo command if they can feed one in through a badly written PHP file that does not prevent dangerous commands being passed through it.
Best thing here is to limit sudo access to staff who absolutely need it and absolutely disable it for the apache www-user account.
Terms of Use Create Support ticket Your support tickets Stock Market News! © vmapp.org2024 All Rights reserved.