Open shoulders opened 7 months ago
Is this really a strong feature to disable what users can do in PHP though? For example, even if they can't call mail()
then could still shell out to the sendmail
command or make an SMTP connection to localhost
to send email.
Is this really a strong feature to disable what users can do in PHP though? For example, even if they can't call
mail()
then could still shell out to thesendmail
command or make an SMTP connection tolocalhost
to send email.
Some functions in PHP are considered "potentially dangerous functions". E.g. shell_exec
, exec
, passthru
, mail
, anything that lets ordinary users elevate privileges e.g. run a binary with setuid
/setgid
bit, read or write data they should not be allowed to, in other words functions that provide sys admin privileges which popular remote shell apps use to exploit the server to perform DoS attacks against internet targets, send bulk junk email, and attack other user accounts on the system. To prevent this, you need to enforce isolation between user accounts so they can't discover names of other accounts on the system e.g. with cpanel CloudLinux OS which isolates users from discovering other account names on the server (docker
containerization), limit excessive self allocation of CPU or RAM resources (cgroups
), and limit any "bad neighbor" behavior on the system.
The Issue
This value is edited often and does not have anything in the GUI. I know you can edit the the configuration manually.
Solution
Add an ability in the GUI to edit this option with the following consideration.
I will be adding a feature request to allow end users to be able to alter 'Resource Limits' but not be able to alter other sensitive PHP options such as getting access to the
Edit Configuration Manually
So perhaps it should have its own icon and then this can be controlled by permissions.
I know cPanel you can disable functions but clients cannot re-enable some of them using the php.ini
Example of why
I want to disable
mail()
server wide (via server template), and not allow clients to turn it back on, but allow them to increase their upload value from 2M to 8M and so on.Additional