I’m interested in improving our security disabling as most of php functions as posible that could be risky without “breaking” our NC functionality. Current admin manual just says
" * disable_functions
: avoid disabling functions unless you know exactly what you are doing"
Sure! Disabling some functions like curl_exec results in a non functional NC instance, or maybe you have some specific app/module that needs that function. But probably we can make some recommendations, isn’t it? So I will start a list here and kindly invite you to add or remove some items.
My NC instance uses basic modules, Talk, Office, Deck, Announcements and not much more.
This is my current setup. I’ve introduced it in php-fpmX.X php.ini file. Make sure to restart php-fpm to load changes
**Edited on 2023-02-21 - 13:58 with a more or less “definitive” list **
disable_functions = apache_note, apache_setenv, chgrp, curl_multi_exec, define_sys, define_syslog_variables, debugger_off, debugger_on, diskfreespace, _getppid, escapeshellarg, escapeshellcmd, exec, getmyuid, ini_restore, leak, listen, parse_ini_file, passthru, pcntl_alarm, pcntl_async_signals, pcntl_exec, pcntl_fork, pcntl_get_last_error, pcntl_getpriority, pcntl_setpriority, pcntl_signal, pcntl_signal_dispatch, pcntl_signal_get_handler, pcntl_sigprocmask, pcntl_sigtimedwait, pcntl_sigwaitinfo, pcntl_strerror, pcntl_unshare, pcntl_wait, pcntl_waitpid, pcntl_wexitstatus, pcntl_wifcontinued, pcntl_wifexited, pcntl_wifsignaled, pcntl_wifstopped, pcntl_wstopsig, pcntl_wtermsig, phpinfo, posix, posix_ctermid, posix_getcwd, posix_getegid, posix_geteuid, posix_getgid, posix_getgrgid, posix_getgrnam, posix_getgroups, posix_getlogin, posix_getpgid, posix_getpgrp, posix_getpid, posix_getpwnam, posix_getpwuid, posix_getrlimit, posix_getsid, posix_isatty, posix_kill, posix_mkfifo, posix_setegid, posix_seteuid, posix_setgid, posix_setpgid, posix_setsid, posix_setuid, posix_times, posix_ttyname, posix_uname, popen, proc_close, proc_get_status, proc_nice, proc_open, proc_terminate, shell_exec, show_source, system, url_exec
Finally, I’ve decided to include shell_exec and similar to avoid the high grade of exposure of that function (including open a webshell). However, you will get a 500 error if you try to access monitoring app (server info page on administration). As alternative, you can still get the system info using the api and curl. To do this, check the monitoring page before including shell exec into the list.
Edit: to debug your instance take a look to your administration → logging panel or to nextcloud log file
Error index Exception: Call to undefined function OCA\Settings\Controller\posix_getuid() in file '/xxxxxxxxxxxxxxx/nextcloud/apps/settings/lib/Controller/CheckSetupController.php' line 705
tail /xxxxxxxxxxx/nextcloud_logs/nextcloud.log -f