我目前在 CentOS 机器上托管一个 Drupal 6 站点.Drupal (CMS) 配置包含几十个不应分叉 作为一般的最佳编码实践.但是,其中一些模块按顺序使用 php exec
命令以正常运行.
I am currently hosting a Drupal 6 site on a CentOS machine. The Drupal (CMS) configuration contains a few dozen third-party modules that should not be forked as a general best coding practice. However, some of these modules make use of the php exec
command in order to function properly.
该站点允许管理员通过 UI 配置在任何页面中嵌入 php 代码片段,前提是他们有权访问 php 代码输入格式.我需要让管理员可以使用这种输入格式,因为有几个节点(页面)和面板窗格使用小的、无害的 php 代码片段,例如将特定表单嵌入到内容区域中.
The site allows for admins to embed php code snippets in any page via a UI configuration, granted that they have access to the php code input format. I need to keep this input format available to admins because there are several nodes (pages) and panel panes that make use of small, harmless php code snippets, like embedding a specific form into the content region, for example.
问题是,如果有人要破坏管理员帐户,那么他们可以在站点上运行任意 php 代码,从而通过 php 的 exec
、passthru
等 有没有什么办法,从操作系统层面,限制什么shell命令php可以通过到机器?这可以通过限制 php 中某些程序的文件权限来实现吗?
The issue is that if someone were to compromise an admin account, then they could run arbitrary php code on the site, and thus run shell commands via php's exec
, passthru
, etc. Is there any way, from an operating system level, to restrict what shell commands php can pass through to the machine? Could this be done via restricting file permissions to some programs from php?
注意:我不能使用 php.ini disable_functions 指令,因为我仍然需要 exec
在许多情况下正常运行,例如模块使用某些 shell 命令,例如视频编码.
Note: I cannot use the php.ini disable_functions directive as I still need exec
to function normally for many cases, where modules make use of certain shell commands, like video encoding, for example.
回答您的问题:理论上,如果您使用 PHP 可以运行命令的极其受限的帐户创建了一个用户帐户,您可以将安装调整为更安全.然而,真正的问题是管理员用户能够执行任意命令.如果发生这种情况,您将面临更大的问题.
To answer your question: in theory, if you created a user account using an extremely restricted account that PHP could run commands as, you could tune your installation to be more secure. However, the real problem is that administrator users are able to execute arbitrary commands. If that happens, you will have a significantly larger problem on your hands.
这里真正的解决方案是:
The real solution here is:
这篇关于是否可以在操作系统级别限制 php 可以通过 exec 的命令?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持跟版网!