Restrict exec(), system() or similar calls to everywhere except docroot for customers
It will be great if it will be possible to restrict exec(), system() or similar calls to everywhere except docroot for customers
Programs like Typo3 (admin) seem still to rely on such PHP calls to e.g. execut image magick tools.
But these calls pose a big security risk in many ways.
Unless i did not see it, currently Plesk allows these calls by default and doesn't restrict them at all.
But without restrictions (a jail) they allow access to the complete win/linux OS. So, no or at least very different resource usage control, usage of e.g. in Plesk deactivated PHP versions etc. Every bug and problem in OS bin/exec or even wrong permissions will result in system problems.
Obviously the title above could suggest that it is possible in Plesk to restrict these calls in customers docroots? That would be a solutions - maybe not the most secure but a very flexible an logical.
Having these PHP functions on by default without security in Plesk is simply wrong.
So the benefit is to avoid a default security problem while fullfilling customers needs.