On Jul 8, 2024, at 14:12, David CARLIER <devne...@gmail.com> wrote: > Through this existing PR, I wanted to know how would appeal to you adding > some access restriction upon this existing call, using the open basedir > check. So if the sysadmin wants the php user having no business calling > `/bin` commands for examples would do that, bringing a bit more of the former > suhosin "spirit" here.
open_basedir is usually used in conjunction with the disable_functions directive to disable all functions which execute external commands, including pcntl_exec(). It's largely ineffective if the user can execute external commands, as those commands are not themselves restricted by open_basedir. (For instance, if PHP is allowed to execute /bin/cat, that can be used to read any file; if it can execute /bin/sh, that can execute any other command.) Additionally, if there *are* PHP installations which set open_basedir but do allow pcntl_exec(), this change would introduce a major incompatibility by disallowing all commands. If your goal is to restrict what external commands can be executed by a PHP script, any solution would need to be applied to all functions which can execute shell commands - exec(), shell_exec(), system(), passthru(), proc_open(), shell_exec(), popen(), not just pcntl_exec(). Keep in mind that some of these functions take a string as input which is parsed by the shell; implementing path-based restrictions may be very difficult to do in a general fashion.
