httpd + /bin/false == 系统() ?
我有两个网络服务器,都在 Lighttpd + php 上(通过 fastCGI)。
[user@box ~]$ lighttpd -v
lighttpd/1.4.29 (ssl) - a light and fast webserver
Build-Date: Aug 7 2011 10:52:01
[user@box ~]$ php -v
PHP 5.3.8 with Suhosin-Patch (cli) (built: Sep 30 2011 05:34:36)
Copyright (c) 1997-2011 The PHP Group
Zend Engine v2.3.0, Copyright (c) 1998-2011 Zend Technologies
[user@box ~]$ php-cgi -v
PHP 5.3.8 with Suhosin-Patch (cgi-fcgi) (built: Sep 30 2011 05:35:14)
Copyright (c) 1997-2011 The PHP Group
Zend Engine v2.3.0, Copyright (c) 1998-2011 Zend Technologies
Lighttpd 和 php-cgi 在用户“http”下使用 /bin/false (伪造的)shell 运行:
[user@box ~]$ cat /etc/passwd | grep http
http:x:33:33:http:/srv/http:/bin/false
[user@box ~]$ ps aux | grep "lighttpd\_php-cgi"
http 1291 0.0 1.1 5152 2816 tty1 S Oct06 0:00 /usr/sbin/lighttpd -D -f /etc/lighttpd/lighttpd.conf
http 1292 0.0 1.5 14476 3904 ? Ss Oct06 0:00 /usr/bin/php-cgi
但我仍然可以通过 php 的 system() 函数执行 shell 命令(例如)!
我的 php.ini 中没有disable_functions。 如果我通过 php 执行 system("whoami") 或 system("id") ,我会得到以下结果:(
http
uid=33(http) gid=33(http) groups=33(http)
正如它必须的那样)。
为什么我可以使用 /bin/false 作为 shell 执行用户的命令?
I have two web-servers, both on Lighttpd + php (through fastCGI).
[user@box ~]$ lighttpd -v
lighttpd/1.4.29 (ssl) - a light and fast webserver
Build-Date: Aug 7 2011 10:52:01
[user@box ~]$ php -v
PHP 5.3.8 with Suhosin-Patch (cli) (built: Sep 30 2011 05:34:36)
Copyright (c) 1997-2011 The PHP Group
Zend Engine v2.3.0, Copyright (c) 1998-2011 Zend Technologies
[user@box ~]$ php-cgi -v
PHP 5.3.8 with Suhosin-Patch (cgi-fcgi) (built: Sep 30 2011 05:35:14)
Copyright (c) 1997-2011 The PHP Group
Zend Engine v2.3.0, Copyright (c) 1998-2011 Zend Technologies
Lighttpd and php-cgi are running under user 'http' with /bin/false (bogus) shell:
[user@box ~]$ cat /etc/passwd | grep http
http:x:33:33:http:/srv/http:/bin/false
[user@box ~]$ ps aux | grep "lighttpd\_php-cgi"
http 1291 0.0 1.1 5152 2816 tty1 S Oct06 0:00 /usr/sbin/lighttpd -D -f /etc/lighttpd/lighttpd.conf
http 1292 0.0 1.5 14476 3904 ? Ss Oct06 0:00 /usr/bin/php-cgi
But I still can execute shell commands through php's system() function (for example)!
There are no disable_functions in my php.ini.
If I execute system("whoami") or system("id") through php, I get the following:
http
uid=33(http) gid=33(http) groups=33(http)
(just as it must be).
What's the reason that I can execute commands from the user with /bin/false as shell?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
/bin/false 与此处无关。您无法通过更改用户的 shell 来控制对系统命令的访问,因为它们根本不通过 shell 执行。请在此处了解更多信息。
/bin/false has nothing to do here. You can't control access to system commands by changing a user's shell, because they are simply NOT executed via shell. Read more here.
正如文档中明确指出的那样,php的
system只是C语言中系统的绑定从系统的手册页:/bin/false只是登录 shell(与结合使用)代码>登录,telnet,ssh等)。As explicitely said in the documentation, php's
systemis just a binding for the system in C. From the manpage of system:/bin/falseis just the login shell (used in conjunction withlogin, telnet, ssh, etc.).