Secure_php.sh missing?

heart1010 · October 24, 2023, 10:23am

This mentioned secure_php.sh isn’t there after an upgrade from 1.8.8 to 1.8.9, correct? So we have to manually add that file from github?

# ll /usr/local/hestia/install/upgrade/manual
drwxrwxr-x root root 4.0 KB Tue Oct 24 11:54:31 2023  .
drwxrwxr-x root root 4.0 KB Tue Oct 24 11:54:31 2023  ..
.rwxr-xr-x root root 2.6 KB Tue Oct 24 11:00:28 2023  configure-server-smtp.sh
.rwxr-xr-x root root 534 B  Tue Oct 24 11:00:28 2023  disable-non-tls-auth.sh
.rw-r--r-- root root 524 B  Wed May 26 14:44:13 2021  drop_all_tables.sql
.rwxr-xr-x root root 1.7 KB Tue Oct 24 11:00:28 2023  install_awstats_geoip.sh
.rwxr-xr-x root root 1.8 KB Tue Oct 24 11:00:28 2023  install_awstats_geoip2.sh
.rwxr-xr-x root root 6.2 KB Tue Oct 24 11:00:28 2023  install_sieve.sh
.rwxr-xr-x root root 3.0 KB Tue Oct 24 11:00:28 2023  migrate_apache.sh
.rwxr-xr-x root root 2.7 KB Tue Oct 24 11:00:28 2023  migrate_mpm_event.sh
.rwxr-xr-x root root 6.1 KB Tue Oct 24 11:00:28 2023  migrate_multiphp.sh
.rwxr-xr-x root root 2.2 KB Tue Oct 24 11:00:28 2023  migrate_ngnix_apache_nginx-php-fpm.sh
.rwxr-xr-x root root 7.3 KB Tue Oct 24 11:00:28 2023  migrate_phpmyadmin.sh
.rwxr-xr-x root root 2.1 KB Tue Oct 24 11:00:28 2023  migrate_roundcube.sh
.rwxr-xr-x root root 1.8 KB Tue Oct 24 11:00:28 2023  remove-mail-stack.sh
.rwxr-xr-x root root 2.1 KB Tue Oct 24 11:00:28 2023  upgrade_mariadb.sh
.rwxr-xr-x root root 901 B  Tue Oct 24 11:00:28 2023  upgrade_multi_php.sh
.rwxr-xr-x root root 2.6 KB Tue Oct 24 11:00:28 2023  upgrade_php.sh

eris · October 24, 2023, 10:29am

I merged only the last commit instead of the brach … Will release 1.8.10 quickly

Sich · October 24, 2023, 12:22pm

Can we get the exact functions that you added for this security patch ?
As I have already a custom “disable_functions” on my install I can’t just run the sed command !

For what I have read, I have already disabled all functions that you list in your patch. But just to be sure

eris · October 24, 2023, 12:24pm

It was by default “empty” so everything… (For 8.2 and 8.1) For the other php versions slightly different …

It is the same as MyVesta disable functions…

sahsanu · October 24, 2023, 6:47pm

Disabling all the proposed functions could cause a lot of issues so take care.

Here some examples of php apps that are using some of the disabled functions:

Yourls

$ list_used_php_disabled_functions /home/test/web/yourls.example.com/public_html/
Checking php disabled functions but used in /home/test/web/yourls.example.com/public_html/

exec

Grav

$ list_used_php_disabled_functions /home/test/web/grav.example.com/public_html/
Checking php disabled functions but used in /home/test/web/grav.example.com/public_html/

pcntl_signal
pcntl_signal_dispatch
pcntl_sigprocmask
exec
system
passthru
shell_exec
proc_open

NextCloud

$ list_used_php_disabled_functions /home/test/web/nextcloud.example.com/public_html/
Checking php disabled functions but used in /home/test/web/nextcloud.example.com/public_html/

pcntl_waitpid
pcntl_signal
pcntl_signal_dispatch
pcntl_strerror
pcntl_sigprocmask
pcntl_exec
pcntl_getpriority
pcntl_setpriority
exec
system
passthru
shell_exec
proc_open
popen

Roundcube

$ list_used_php_disabled_functions /var/lib/roundcube
Checking php disabled functions but used in /var/lib/roundcube

pcntl_signal
exec
system
passthru
shell_exec
proc_open
popen

Hestia

$ list_used_php_disabled_functions /usr/local/hestia/web/
Checking php disabled functions but used in /usr/local/hestia/web/

pcntl_signal
pcntl_signal_dispatch
pcntl_sigprocmask
exec
system
passthru
shell_exec
popen

eris · October 24, 2023, 7:36pm

For Yourls it is only in tests

github.com

YOURLS/YOURLS/blob/859289c51bc1e3ee51db19b259a15114783ae9cf/tests/tests/auth/auth.php#L175


      
          
              // Encrypt file
              $this->assertTrue( yourls_hash_passwords_now( $config_file ) );
          
              // Make sure encrypted file is still valid PHP with no syntax error
              if( !defined( 'YOURLS_PHP_BIN' ) ) {
                  $this->markTestSkipped( 'No PHP binary defined -- cannot check file hashing' );
                  return;
              }
          
              exec( YOURLS_PHP_BIN . ' -l ' .  escapeshellarg( $config_file ), $output, $return );
              $this->assertEquals( 0, $return );
          }
          
          /**
           * Check that encrypting un-writable file returns expected error
           */
          public function test_hash_passwords_now_unwritable() {
              // generate un-writable file
              $file = YOURLS_TESTDATA_DIR . '/auth/unwritable.php';
              touch( $file );

Unless you develop it you should not run in to issues

For Grav…

github.com

getgrav/grav/blob/45f8fe4d0b6df28a76dc3f895ae6369a7260deb6/system/src/Grav/Common/Utils.php#L1956-L1966


      
          public static function isDangerousFunction($name): bool
          {
              static $commandExecutionFunctions = [
                  'exec',
                  'passthru',
                  'system',
                  'shell_exec',
                  'popen',
                  'proc_open',
                  'pcntl_exec',
              ];

Roundcube

I know MyVesta uses this list and they run MyVesta under the same php.ini …

Hestia
Runs under a different php version build by us …

sahsanu · October 24, 2023, 9:14pm

With my comment above, I just wanted to say that you should be careful before disabling all those functions because it is possible that the application you are going to use needs some of them.

Yeah, I know, I don’t know why I put that as an example.

I know nothing about MyVesta and maybe I’m wrong but I think they only disable functions in fpm, not in cli because if they disable them in cli they won’t be able to use update.sh script from Roundcube to update installation.

eris · October 24, 2023, 9:19pm

That might be a good point for CLI …

3rKaN_BRATTE · October 27, 2023, 11:48pm

I’ve also made modifications to the ‘disable_functions’ list because I work extensively with Laravel. However, I’m uncertain about the security implications of the current setup. Could someone kindly take a quick look at it?

disable_functions = pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_unshare,

eris · October 28, 2023, 6:28am

exec and popen are already required for composer and wp cli.

Will come next week with a new release…

pluto · December 14, 2023, 8:07am

Just a quick note that these are required for Nextcloud. I had to enable them in /etc/php/x.x/cli/php.ini so that the nextcloud occ app would stop complaining.
A client also had to enable them to get a laravel app to run.

Unfortunately they can’t be enabled on a per site basis in php.fpm pool config, or in .user.ini