My company is developing a PHP system that needs to interact with Git on the server, which can currently most conveniently be done by allowing external calls via proc_open()
, system()
and the likes. The problem is that our clients typically use shared hosts and those hosts typically have these PHP functions disallowed. (Well, they also typically do not have Git installed on their servers but that is another issue; let's focus on proc_open()
now.)
I'd like to fully understand what are the security implications of proc_open()
being allowed, and under what circumstances.
Here is what I've gathered so far:
- If the host uses Apache + mod_php allowing proc_open() is a no-go because the PHP script and in turn the executed shell command runs under the same user (Apache) for all users on the shared host. That is obviously too much of a risk (one user could access files of the others).
- If the host uses CGI, FastCGI, PHP-FPM or similar, and if the file permissions are set properly, allowing proc_open() should be relatively fine. The reasoning here is that the PHP script itself can already do a lot of things, so adding the ability to run external commands (with proper permissions in place) doesn't make much of a difference. (It makes some difference in that it makes the surface area larger, but the difference shouldn't be huge.)
The question is, is the above correct? Or are there examples of attacks that would be only possible via proc_open()
and not otherwise? Thanks.