FUDforum
Fast Uncompromising Discussions. FUDforum will get your users talking.

Home » Imported messages » comp.lang.php » Sandbox
Show: Today's Messages :: Polls :: Message Navigator
Return to the default flat view Create a new topic Submit Reply
Re: Sandbox [message #182080 is a reply to message #182079] Fri, 05 July 2013 17:33 Go to previous messageGo to previous message
J.O. Aho is currently offline  J.O. Aho
Messages: 194
Registered: September 2010
Karma:
Senior Member
On 05/07/13 18:53, Jerry Stuckle wrote:
> On 7/5/2013 12:24 PM, J.O. Aho wrote:
>> On 05/07/13 14:25, Jerry Stuckle wrote:
>>> On 7/5/2013 7:38 AM, sanjayrathod273(at)gmail(dot)com wrote:
>>>> HEy guys Help me
>>>>
>>>> I want to use sandbox for my site's security. below is the link of
>>>> method which i want to use http://php.net/manual/en/runkit.sandbox.php.
>>>>
>>>> but when i am run the code of that page it says sandbox class not
>>>> defined.
>>>> so anyone can guide me through this step by step.
>>>> Please help me my site has down due to hacking. i want to use for this
>>>> site
>>>> http://web.guru99.com/demo-editor-php/
>>>>
>>>
>>> Look at the documentation - you need the runkit PECL class. But that
>>> has not been updated for seven years and will not compile with PHP
>>> versions > 5.2. It looks like you're out of luck.
>>>
>>> But then while I think what you're trying to do is admirable, I don't
>>> think you'll be able to stop hacking without pretty much crippling your
>>> users. Anyone developing (or learning) PHP should have their own
>>> development environment, anyway.
>>>
>>
>> There are other options to "sandbox" the users, suExec will give you
>> some capabilities and then on you can also run the apache in a chroot
>> environment. This way you can limit the access through the webserver to
>> the rest of the server environment and limit the sites from accessing
>> each others data. I usually apply the suhosin to the php and set a bit
>> limitation that way too. Doing all that you need of course a Linux/Unix
>> server.
>>
>
> Yes, but look at his site. He's trying to create an online PHP executor
> for people to use. Your suggestions won't help there - it's impossible
> to use them to limit access to the files from user-developed code
> (evidently executed with eval()) while still making it available to the
> installed code.

*nods*

> And limiting things like file functions in his php.ini file will not
> only limit the functions for user-developed code, but for the code on
> the site itself.

yeah, you are right, but just let us play things a little bit before
giving up.

1. If we start with running the apache in a chroot, we eliminate the
access to system files.

2. Then we run the suExec for the site and php with suhosin, to make
things a little bit safer in the environment which will be "executing
the code".

3. Instead of using eval to run the user imputed code, we use fpm to
execute it and set the fpm to use another php.ini than the suExec
environment Running the fpm in it's own nested chroot, will prevent it
from accessing those files in the general apache chroot.

Of course this would require a custom made PHP page to handle a such
setup, but could in theory work, but should be well tested before
releasing to the wide world web.

Any thoughts about this, or do you see a flaw in my thought?

--

//Aho
[Message index]
 
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Previous Topic: tracking IP's
Next Topic: mysqli --- who does the switching?
Goto Forum:
  

-=] Back to Top [=-
[ Syndicate this forum (XML) ] [ RSS ]

Current Time: Mon Nov 25 03:22:09 GMT 2024

Total time taken to generate the page: 0.04847 seconds