Security - PHP disable_function recommendations

I’m interested in improving our security disabling as most of php functions as posible that could be risky without “breaking” our NC functionality. Current admin manual just says

" * disable_functions: avoid disabling functions unless you know exactly what you are doing"

Sure! Disabling some functions like curl_exec results in a non functional NC instance, or maybe you have some specific app/module that needs that function. But probably we can make some recommendations, isn’t it? So I will start a list here and kindly invite you to add or remove some items.

My NC instance uses basic modules, Talk, Office, Deck, Announcements and not much more.

This is my initial setup (test environment) and seems to be happy, probably something does not work but still didn’t find it:

Edited on 2023-12-05 with a long list of functions

disable_functions = apache_note, apache_setenv, chgrp, debugger_off, debugger_on, define_sys, define_syslog_variables, diskfreespace, escapeshellcmd, getmyuid, _getppid, ini_restore, leak, listen, passthru, pcntl_alarm, pcntl_async_signals, pcntl_exec, pcntl_fork, pcntl_get_last_error, pcntl_getpriority, pcntl_setpriority, pcntl_signal, pcntl_signal_dispatch, pcntl_signal_get_handler, pcntl_sigprocmask, pcntl_sigtimedwait, pcntl_sigwaitinfo, pcntl_strerror, pcntl_unshare, pcntl_wait, pcntl_waitpid, pcntl_wexitstatus, pcntl_wifcontinued, pcntl_wifexited, pcntl_wifsignaled, pcntl_wifstopped, pcntl_wstopsig, pcntl_wtermsig, posix, posix_ctermid, posix_getcwd, posix_getegid, posix_geteuid, posix_getgid, posix_getgrgid, posix_getgrnam, posix_getgroups, posix_getlogin, posix_getpgid, posix_getpgrp, posix_getpid, posix_getpwnam, posix_getpwuid, posix_getrlimit, posix_getsid, posix_getuid, posix_isatty, posix_kill, posix_mkfifo, posix_setegid, posix_seteuid, posix_setgid, posix_setpgid, posix_setsid, posix_setuid, posix_times, posix_ttyname, posix_uname, proc_close, proc_get_status, proc_nice, proc_open, proc_terminate, show_source, system, phpinfo, exec, passthru, shell_exec, proc_open, popen, curl_multi_exec, parse_ini_file, show_source

I will update this comment as I found new issues. Please, feel free to make recommendations.

Edit: to debug your instance take a look to your administration → logging paner or to nextcloud log file

tail /xxxxxxxxxxx/nextcloud_logs/nextcloud.log -f

php_info should be phpinfo

You’re right. I’ve added it with a long list of functions extracted from one of our old debian servers. NC seems stills fully functional.

@gonzalo.cao Thank you for this quick list!

Originally I had the following in my disable_functions list

pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,pcntl_unshare

but then swapped to trying out your list above and had one slight issue so far - The built in security checker errors out when posix_getuid is disabled. I’ve removed that from the disabled functions and the check works again.

The only other page I’ve found so far that doesn’t work with these functions disabled is the admin/serverinfo “System” page, because it doesn’t have access to shell_exec, but that’s a fine trade off imo.

Cheers! :slight_smile:

I did have to modify what functions i had disabled in my CLI version of php for running the cron tasks - it would complain if I had the posix functions disabled - which I guess makes sense from a cron/shell perspective,so just for the CLI version of php I took out the posix and posix_ ones since otherwise my backend cron jobs wouldn’t work.

Came back to report that in case anyone else was running their cron in the background (and not doing it with ajax or webcron) :smiley: