What does xenforo use exec for?

[AndrewSimm]

I get the following error when upgrading to beta 7:

• Your server has disabled a core PHP function exec via the disable_functions directive in php.ini. This may cause unexpected problems in XenForo.

This is the first time I have got this error.

 

[Robust]

Looks like a Symfony component within XF2 uses exec (shell_exec specifically). As far as I can see (from dp3) the only place this is used is the QuestionHelper and DialogHelper, part of the Symfony Console component. The command used is stty, and the execution of a file to get a hidden response (?). Presuming the use case is formatting within parts of XF2 using the console component, probably the cmd.php file.

That's from a quick search of the source, so I wouldn't take it as an official or informed answer.

 

[Chris D]

We've added exec and escapeshellarg recently to the recommended functions list. They are commonly disabled but generally there's little need to providing their use is safe and responsible. We may use it more in the future, but actually the only place we officially use it right now is within XFMG for the media transcoding.

Note that this is not an error, it's a warning. The distinction is important because if it was an error for a required function, we wouldn't let the installation continue.

 

[sheel]

They are commonly disabled but generally there's little need to providing their use is safe and responsible. We may use it more in the future

Please don't.

The problem is not if the intended usage is safe and responsible, the problem is that quite some of the not-that-big security holes that are found every week in Apache and PHP become fatal with a bad configuration. The unfiltered ability to execute shell commands for any PHP program on the vhost/server is something attackers usually can only dream of ... because most people are not insane enough to allow it.

...
other than that, I thought Xenforo was supposed to fully run on non-root hosting too...

 

[Digital Doctor]

Sounds like exec should be limited to XFMG ? No need to have it unless you use XFMG ?

 

[sheel]

Well, if you can tell an feasible way how to limit it to XFMG, especially only to the original XFMG without changes some attacker made with help of some PHP bug...

Allowing exec destroys every kind of sandbox available to PHP installs, be it simple user separation or full virtualization plus Selinux.

 

[pegasus]

Allowing exec destroys every kind of sandbox available to PHP installs, be it simple user separation or full virtualization plus Selinux.

Not sure how you came to this conclusion. When PHP runs exec, it runs with the same permissions as the user PHP runs as (use FastCGI pools and this should be a different user than Apache). So it would only have access to commands that the user has permissions for and that are within the appropriate home directory (such as commands you've set aside in a /home/account/bin directory), provided you're using open_basedir. In my experience this works as expected, and I have not been able to use exec for other commands. Don't give the PHP user more permissions than it needs, and you should not have problems using exec.

 

[sheel]

So it would only have access to commands that the user has permissions for

That's not a protection PHP made ... and, independent of that, even without privilege escalation, having an attacker with local shell access for some valid user is bad enough. One doesn't need to be root to do harmful things, especially to the clients of the webserver.

Other than direct shell access, as implied before allowing exec can be the tiny difference between getting in at all or not. Don't remember CVE numbers now, but bugs like that were found and will be found again.