0

I want to allow users to create own apps with php on my webpage. The problem is they have access to some dangerous commands like chmod(). I'm not sure what to do.

I want to run their apps with eval(), but I don't know much dangerous commands and I want to prevent from using any of them. So maybe anyone can make a function to run die() when there is dangerous content in the code? Or maybe give a list of commands that users shouldn't be able to run?

EDIT: I don't want to disable eval(). I want to prevent users from using functions that can be endanger the site.

EDIT: I don't own access to php.ini as I'm working on subdomain and there is one php.ini for whole domain. And I don't want to disable commands for whole site, just for one eval...

  • @castis, I search what commands I should prevent users from using, not how to disable `eval` –  Sep 02 '16 at 15:51

2 Answers2

1

Don't. There is no way to do this safely.

PHP was not designed for this application. It has no way to filter function calls at runtime.

Filtering user-generated code is unlikely to be effective either. There are a lot of subtle ways to bypass all of the obvious approaches to filtering -- for instance, a function call can be concealed by using indirect function call syntax:

$fn = "system";
$fn("evil command");

or by using commands which you may not realize are equivalent to eval, such as assert, create_function, or even preg_exec in some versions of PHP.

  • Thanks for tip. I heard that WordPress offers free use of php... I haven't checked that, but sure they disabled admin functions. I also think about making my own programming language. I have a great idea of a language that is fast to write and easy to read. Maybe this gonna be a better coice? –  Sep 03 '16 at 16:25
  • @Soaku Wordpress.com is (probably? I haven't looked) running your site under a different user, or even in a different virtual machine, from other sites on the same server. They also have the advantage of having much more experienced people reviewing their security design. –  Sep 03 '16 at 16:54
0

In general eval() is not the best choice, for most cases one should try something else (When is eval evil in php?).

With the above in mind, it's possible to create an (almost) safe environment.

You should create a user with very low privileges and give him the permissions only to read/write in specific folders. Then run the users' php code as this user: this will not prevent bad functions, but limit them in a sort of sandbox.

But, as duskwuff pointed out, php is not made with that in mind, so be careful!

I said almost because running arbitrary code on a machine is not safe, it could not be safe.

EDIT 1: check out this link: https://github.com/Corveda/PHPSandbox

EDIT 2: other link: Is there a way to execute php code in a sandbox from within php

Community
  • 1
  • 1
Sylter
  • 1,622
  • 13
  • 26
  • But in this case `eval()` isn't really evil. I would use include, but its easier to filter the code when you use `eval()`. –  Sep 03 '16 at 16:28
  • You're right! The solution I proposed does not use `eval()` because blacklisting or whitelisting is never a good choice when talking about security. `eval()` seems more controllable. See also my edit, it could be useful (wrong link, now it's OK). – Sylter Sep 03 '16 at 16:31
  • Added another useful link – Sylter Sep 03 '16 at 16:34
  • I'm not sure what is sandboxing. Users will have a private directory and they will only have access to it? Even when using `chmod()`? I have another solution (which I provided in comment to duskwuff answer), which may be better. –  Sep 03 '16 at 16:43
  • I have just realized I can't use RunKit as I work on sub-domain and there is only one php for whole domain and I don't have access to it. So there is only one solution... –  Sep 03 '16 at 17:24
  • If your user doesn't have the permission, `chmod()` would simply not work and return an error. I guess you should probably improve your *nix and php knowledge before doing this project. Sandbox is a place where your user can do everything, it's only forbidden to go outside: he cannot see/modify/delete/change files outside the sandbox, therefore even with the evilest function available the user can do nothing outside the sandbox. – Sylter Sep 04 '16 at 06:50
  • But if I'm not owner of the domain, but the sub-domain I don't have access to `php.ini` and tho. So I can't install runkit. Is there an alternate way to install it only on the sub-domain? If no, I can ask the domain owner. –  Sep 04 '16 at 06:54
  • Wait: `runkit` is one thing, create a specific user on the server and run php code as this user is another one. UNIX user permission enables you to run code safely, limiting interaction with the filesystem. Here you can find how to sandbox program (it's for a C program, but for PHP is more or less the same): http://stackoverflow.com/questions/4249063/run-an-untrusted-c-program-in-a-sandbox-in-linux-that-prevents-it-from-opening-f – Sylter Sep 04 '16 at 09:06
  • How do I create or login as an user? –  Sep 04 '16 at 09:07
  • Another useful link to sandbox an entire UNIX server: http://devstructure.com/sandbox/sandbox.1.html – Sylter Sep 04 '16 at 09:07
  • You do not login as this user, you run the php code as a low privileged user. Apache is itself a low privileged user, you create a user with only the ability to see in some folders, edit some files, ecc... – Sylter Sep 04 '16 at 09:08
  • So how I do it? –  Sep 04 '16 at 09:09
  • It depends on the unix system you are using, google for `create unix user unprivileged` and look for you system. Then assign to this low privileged user the arbitrary php code uploaded in yours service and run it – Sylter Sep 04 '16 at 09:14
  • Ok. Thanks. I will search for it somewhere. Maybe I'll understand it. –  Sep 04 '16 at 09:14
  • But if you don't know what a unprivileged user is, how to manage unix users, basis of computer security (as sandbox), you probably should learn something more before trying this project. It's difficult, big and really really though from the security point of view. Maybe creating a subset of the php language (aka your own programming language) is something not easier, but cooler! – Sylter Sep 04 '16 at 09:15
  • I already have tried to create own not advanced compiler for Android apps, so I know some basics of it. –  Sep 04 '16 at 09:17
  • WOW! Awesome! It would be cool to provide something new also for the web development, think about it! – Sylter Sep 04 '16 at 09:18
  • I have already a project for a new lang. Its fast to write and easy to read. It could be used to run a website, to run a terminal app, create a website bot (So it can be little dangerous) ans maybe even a componental app. I run a website, currently under a little maintenance (now only in Polish, soon I'm gonna add English), maybe later I'll publish the compiler or how to call it (it runs the code, does not compiles) and some tutorials. –  Sep 04 '16 at 09:23
  • It would be awesome! I'll give it a try for sure :) – Sylter Sep 04 '16 at 14:32
  • The website adress is dominik.drozak.net ;) –  Sep 04 '16 at 14:33