Restrict exec(), system() or similar calls to everywhere except docroot for customers
It will be great if it will be possible to restrict exec(), system() or similar calls to everywhere except docroot for customers
Alexander Morgunov
shared this idea
This feature would require to replace official PHP versions by a special Plesk PHP fork, including maintenance of all such versions, updates and ongoing development just like PHP developers do it. Regarding the very low number of votes that this feature has received during many years, such an enormous effort is hard to justify. For that reason we must decline it.
-- PD
-
Ralf
commented
Programs like Typo3 (admin) seem still to rely on such PHP calls to e.g. execut image magick tools.
But these calls pose a big security risk in many ways.
Unless i did not see it, currently Plesk allows these calls by default and doesn't restrict them at all.But without restrictions (a jail) they allow access to the complete win/linux OS. So, no or at least very different resource usage control, usage of e.g. in Plesk deactivated PHP versions etc. Every bug and problem in OS bin/exec or even wrong permissions will result in system problems.
Obviously the title above could suggest that it is possible in Plesk to restrict these calls in customers docroots? That would be a solutions - maybe not the most secure but a very flexible an logical.
Having these PHP functions on by default without security in Plesk is simply wrong.
So the benefit is to avoid a default security problem while fullfilling customers needs.