tags:

views:

51

answers:

1
Q: 

Ensuring user input code does not damage server when executed

I'm working on a web app that can allow the user to input some code, and it will be compiled and executed, and they can see the result. I'm coding the app in PHP and I need a way to ensure that if the user inputs some harmful code (this example is PHP), it can't execute and destroy my server. Example:

<?php
shell_exec('rm -rf /');
?>

I'm thinking that permissions on the uploaded code's file might do it just fine, but I wanted some secondary input. Thanks!

+3  A: 

Do not do this unless you are a security professional. There are countless ways to destroy things that you can't possibly forsee.

The only case in which this is acceptable is if you give each user an actual user in the system with its own home directory, permission set, etc. and ensure that they can't actually touch anything that's not theirs whatsoever. And, even then, you'll still get hit with something you didn't expect.

I wouldn't trust myself to write something like this for another good 10 years, minimum, if even then. Users are never trustworthy, ever, and there's always someone smarter out there. No way am I giving out that kind of freedom.

Matchu  2010-10-19 01:38:40
I think going this far is a little radical. Sure there may be issues, but there are ways to ensure that even if something does go awry, the core system in not harmed, like FreeBSD jails or something. And if I create a user that has very locked down permissions, and automatically chown the uploaded code to that user. All just ideas.
Ben  2010-10-19 01:47:33
@Ben - Web-based PHP executes with the permissions of your web server. You could try to change ownership levels on the fly, but your apache (or whatever) user is the one executing the code. By allowing users to execute arbitrary code, you are vulnerable to a whole new class of exploits that web developers normally don't worry about: local user exploits. These are serious, with the worst resulting in root access. Even ignoring these, how are you going to lock out things like `mail()`? A user could use your server as a spam relay. Or even just make an infinite loop that uses all your CPU.
zombat  2010-10-19 02:07:21
Alright, I guess I see the valid points here. Shows what I get for trying to be innovative :D, I could go through and put in special fixes for certain vulnerabilities, but I could never really get them all. Thanks for the help.
Ben  2010-10-19 02:20:34
I actually just found a site that does this: http://codepad.org/ How do you suppose they did it?
Ben  2010-10-19 02:26:28
@Ben - `<?php exec('host'); ?>` returns `Disallowed system call: SYS_pipe` - they're running PHP in CLI mode and they've (wisely) locked down the backtick operator and (theoretically) shell access. I worry for their sysadmin, though :)
danlefree  2010-10-19 02:57:44
@Ben: I'm betting they're security professionals who have a very, very intricate understanding of what they're doing.
Matchu  2010-10-19 12:18:29

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases