Warning: Executable paths can be set in the Admin GUI.

Warning: Executable paths can be set in the Admin GUI.

by Jaifar Al Shizawi -
Number of replies: 4

Hi all,  

i'm about to push the site to production, and getting this warning when running security overview check. I fully understand that the warning is not that much sensitive, but for my working place is more than sensitive. 


Executable pathsWarningExecutable paths can be set in the Admin GUI.

Executable paths


any clue in resolve it, note that the Moodle documentation is not giving me anything regarding this issue. 



Attachment paths.png
Average of ratings: -
In reply to Jaifar Al Shizawi

Re: Warning: Executable paths can be set in the Admin GUI.

by Ken Task -
Picture of Particularly helpful Moodlers

Search site admin menu for 'paths'.   That should link to the form where paths are set .... if you have paths set.   On linux server, one of those is the executable for 'disk usage' ... ie, du.

Those I'd consider 'safe' as most a pretty buried in Moodle code and from what I can tell, bad guys/gals haven't attacked such things.

You, however, don' t have to use those path settings.   You could remove them but it does mean php can't shell out to use them and thus some php routine/moodle code that uses would be used instead = more processing.   If your server needs all the memory it can get, think I'd leave them.

'spirit of sharing', Ken


Average of ratings: Useful (1)
In reply to Ken Task

Re: Warning: Executable paths can be set in the Admin GUI.

by Jaifar Al Shizawi -

Thank you for your kind reply, 


I have searched for "paths" and got a page where du, aspell ....  

all of them are empty except the one for ghostscript it is placed by default to /usr/bin/gs

i tried to remove it but still same warning, 


overall thank you for your inputs, hope Moodle will resolve this as I can see there is no use of this warining


all the best 

Average of ratings: -
In reply to Jaifar Al Shizawi

Re: Warning: Executable paths can be set in the Admin GUI.

by Dan Marsden -
Picture of Core developers Picture of Particularly helpful Moodlers Picture of Peer reviewers Picture of Plugin developers Picture of Plugins guardians Picture of Testers Picture of Translators

the issue it is reporting is that normally an admin on Moodle should not necessarily have full access to the web server itself like a sysadmin would. If the Moodle admin can set the executable path they can possibly gain greater access to the web server that Moodle is hosted on.

You can prevent this in two ways - by hard-coding the various execpath settings like du/aspell etc directly in the config.php flie or by setting preventexecpath directly in your config.php file - here's the example from config-dist.php:

https://github.com/moodle/moodle/blob/master/config-dist.php#L489

Average of ratings: Useful (2)
In reply to Dan Marsden

Re: Warning: Executable paths can be set in the Admin GUI.

by Jaifar Al Shizawi -

Dear Dan Marsden


thank you for your kind reply, noted and I have set it to true and now problem is solved. 


regards


Average of ratings: Useful (1)