Is allowing exec() function safe?

[cancer10in]

Hello Webhosters!


Do you think its safe to allow the PHP function exec() on a shared server?

If yes, why?

If No, why?


Plz explain.


Thanx in advance

 

[iHubNet-Matt]

It is not safe. The reason is it will allow to execute commands. If some vulnerable commands are executed it will cause security issues.

 

[cancer10in]

How do you diasllow system functions (like exec() system() etc ) in php.ini?

 

[qbert220]

Do you think its safe to allow the PHP function exec() on a shared server?

You'll need to think about what you mean by "safe" to get a sensible answer. Disallowing exec may restrict your hosting customers. Allowing exec may allow vulnerabilities to be exploited. Any hosting provider needs to strike a balance between the two.

IMO allowing exec in itself is not unsafe. If you allow cgi-bin scripts, then allowing exec is pretty much the same thing (there is no way to prevent a perl script from doing the same thing as PHP exec). You should depend on other security measures (such as file permissions) to prevent access of sensitive information (e.g. other users' home directories) on the server. I always configure PHP and cgi in su mode on shared servers, so allowing PHP exec is not a problem.

 

[cancer10in]

I always configure PHP and cgi in su mode on shared servers, so allowing PHP exec is not a problem.

How do I do that on my server?

 

[qbert220]

See:

http://httpd.apache.org/docs/1.3/suexec.html

and

http://www.suphp.org/Home.html

 

[~ServerPoint~]

You need to involve additional measures to protect the server and you will need to be sure about all people hosted there