Why restricting Apache users from executing scripts?
When Apache users are allowed to executes bash scripts via PHP - why it's considered dangerous?
I understand that the users can traverse the whole file system and even see which additional users are hosted on the machine; they can also read the settings in conf/httpd.conf
.
But how that info will help them to hack the system?
Consider that suexec is active.
There are (usually default) security restrictions in place inside php.ini to prevent scripts from using too much memory, executing certain functions or generally doing what they shouldn't.
If you allow PHP to execute a shell script which isn't restricted in this manner, you're opening up the possibilities for attackers. For instance, they could run a fork bomb and potentially bring your server offline. They could take part in a DDoS more easily, or run a vulnerability scanner against other servers. It can also be a lot harder to debug where something started and exactly how a server was compromised if you allow an extra level of abstraction.
In general, if a server is locked down properly then malicious code is limited, but servers are very rarely locked down properly. It usually takes two or three vulnerabilities to compromise a server - 777 permissions won't cause you a problem unless someone compromises your website code or a malicious user with access goes wandering but why take the risk?
When people are trying to get into your server, they are usually doing so blind. They are guessing your PHP settings, they are guessing how your webserver is configured, they are guessing usernames (/etc/passwd is world-readable), they are guessing your database names. If you allow them to read configuration files you're making their life a lot easier. If you allow them to email out your PHP files containing usernames and passwords for database connection strings, you're making it extremely easy. Inbound firewalls (eg. restricting MySQL to localhost) are of limited use if you let them run whatever they want from your server.