Security - PHP disable_function recommendations

gonzalo.cao · November 30, 2023, 2:08pm

I’m interested in improving our security disabling as most of php functions as posible that could be risky without “breaking” our NC functionality. Current admin manual just says

" * disable_functions: avoid disabling functions unless you know exactly what you are doing"

Sure! Disabling some functions like curl_exec results in a non functional NC instance, or maybe you have some specific app/module that needs that function. But probably we can make some recommendations, isn’t it? So I will start a list here and kindly invite you to add or remove some items.

My NC instance uses basic modules, Talk, Office, Deck, Announcements and not much more.

This is my current setup. I’ve introduced it in php-fpmX.X php.ini file. Make sure to restart php-fpm to load changes

**Edited on 2023-02-21 - 13:58 with a more or less “definitive” list **

disable_functions = apache_note, apache_setenv, chgrp, curl_multi_exec, define_sys, define_syslog_variables, debugger_off, debugger_on, diskfreespace, _getppid, escapeshellarg, escapeshellcmd, exec, getmyuid, ini_restore, leak, listen, parse_ini_file, passthru, pcntl_alarm, pcntl_async_signals, pcntl_exec, pcntl_fork, pcntl_get_last_error, pcntl_getpriority, pcntl_setpriority, pcntl_signal, pcntl_signal_dispatch, pcntl_signal_get_handler, pcntl_sigprocmask, pcntl_sigtimedwait, pcntl_sigwaitinfo, pcntl_strerror, pcntl_unshare, pcntl_wait, pcntl_waitpid, pcntl_wexitstatus, pcntl_wifcontinued, pcntl_wifexited, pcntl_wifsignaled, pcntl_wifstopped, pcntl_wstopsig, pcntl_wtermsig, phpinfo, posix, posix_ctermid, posix_getcwd, posix_getegid, posix_geteuid, posix_getgid, posix_getgrgid, posix_getgrnam, posix_getgroups, posix_getlogin, posix_getpgid, posix_getpgrp, posix_getpid, posix_getpwnam, posix_getpwuid, posix_getrlimit, posix_getsid, posix_isatty, posix_kill, posix_mkfifo, posix_setegid, posix_seteuid, posix_setgid, posix_setpgid, posix_setsid, posix_setuid, posix_times, posix_ttyname, posix_uname, popen, proc_close, proc_get_status, proc_nice, proc_open, proc_terminate, shell_exec, show_source, system, url_exec

Finally, I’ve decided to include shell_exec and similar to avoid the high grade of exposure of that function (including open a webshell). However, you will get a 500 error if you try to access monitoring app (server info page on administration). As alternative, you can still get the system info using the api and curl. To do this, check the monitoring page before including shell exec into the list.

Edit: to debug your instance take a look to your administration → logging panel or to nextcloud log file


Error	index	Exception: Call to undefined function OCA\Settings\Controller\posix_getuid() in file '/xxxxxxxxxxxxxxx/nextcloud/apps/settings/lib/Controller/CheckSetupController.php' line 705

tail /xxxxxxxxxxx/nextcloud_logs/nextcloud.log -f

kesselb · November 30, 2023, 2:43pm

php_info should be phpinfo

gonzalo.cao · December 5, 2023, 9:50am

You’re right. I’ve added it with a long list of functions extracted from one of our old debian servers. NC seems stills fully functional.

jcx · January 1, 2024, 2:22am

@gonzalo.cao Thank you for this quick list!

Originally I had the following in my disable_functions list

pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,pcntl_unshare

but then swapped to trying out your list above and had one slight issue so far - The built in security checker errors out when posix_getuid is disabled. I’ve removed that from the disabled functions and the check works again.

The only other page I’ve found so far that doesn’t work with these functions disabled is the admin/serverinfo “System” page, because it doesn’t have access to shell_exec, but that’s a fine trade off imo.

Cheers!

jcx · February 14, 2024, 6:14pm

I did have to modify what functions i had disabled in my CLI version of php for running the cron tasks - it would complain if I had the posix functions disabled - which I guess makes sense from a cron/shell perspective,so just for the CLI version of php I took out the posix and posix_ ones since otherwise my backend cron jobs wouldn’t work.

Came back to report that in case anyone else was running their cron in the background (and not doing it with ajax or webcron)

gonzalo.cao · February 21, 2024, 10:03am

Hi @jcx ,

I’ve come back to this topic after a long time. I should have mentioned that I’m applying these restrictions only to php-fpm php.ini configuration, which is the one I’m using to the Nextcloud web (not for the CLI). However, I’ve just realized that my Nextcloud was not claiming because I didn’t apply properly the restrictions (facepalm).

I’ve just updated the list of functions removing some to allow Nextcloud to work properly. Unfortunately some of them are shell_exec and escapeshellcmd which are probably the most worrying ones.

BTW thanks for your contribution.