Is it possible [how?] to blacklist & whitelist shell_exec() commands?

Question

I need to allow the following:

shell_exec('whois ' . $domain);

BUT I need to disallow everything else, like:

shell_exec('ls');
shell_exec('rm -rf /');
shell_exec('sudo service nginx restart');

is it possible to "whitelist" only one shell_exec command?

It may be more suitable for [serverfault](http://serverfault.com/) — Luc M, Nov 27 '15 at 15:38

ksimka · Accepted Answer · 2015-12-03T09:53:18.323

2

If it's about some script — just don't pass user input into shell_exec argument, call it when some param matches some value

if ($_GET['cmd'] === 'whois') {
    shell_exec('whois whatever');
}

If it's about kind of hosting, then you should restrict access to data using OS permissions. So user will be able to call shell_exec('rm -rf /') but nothing will happen.

edited Dec 03 '15 at 09:53

answered Nov 27 '15 at 14:18

ksimka

1,394
9
21

1

I guess the per user restriction could work here then. I will give it a try. – Unamata Sanatarai Nov 27 '15 at 14:34

score 1 · Answer 2 · answered Nov 27 '15 at 15:36

Maybe its not really the answer to your question but:

you can check it with php:

if(substr( $command , 0, 5 ) === "whois"){
  shell_exec($command );
}

but still i dont think its smart to put user input in shell_exec but if you really want it i should check everthing first with php

Is it possible [how?] to blacklist & whitelist shell_exec() commands?

2 Answers2