Disable PHP system functions per domain

**NewComer** · 11-05-2010

Hi everyone here,

I am running with apache and php on a Linux server along with SuPHP and Suhosin. In this situation, I requires to disable some php functions such as exec(). So I modified my php configuration file to disable the respective functions. And I have now two problems with that :

1) Everyone can place a php.ini file in his public_html folder and add : "disable_functions = NONE". that is something I don't need.

2) I still require to enable those functions for some accounts on my server according to my choices .

Is there any method to disable those functions for entire accounts by default and still I have the option to enable them for some accounts. And only me who has such type of option ?

**Praetor** · 11-05-2010

When working with the security of your server you will commonly get to the part were you will desired to disable some php functions. The only issue on shared hosting is that you are unable to disable exec for a domain and enable that function for an other that requires it because of some lame script. Eventually you will get to the part were you will require to enable exec on the all of the server because of one site. In this situation,one and only one solution for this and it’s called suhosin.

**Katty** · 11-05-2010

Suhosin contains a configuration variable named as ”suhosin.executor.func.blacklist” that can be used to disable some php functions. The difference between such variable and disable_functions in php.ini is that it can be configured for entire sites and then it can be edited for a domain only (it can be overwritten) so you will be able to disable exec on all of the server and enable that function for a single domain.

Also, you only require the extension for this so you do not require to patch php and re-execute.

NOTE : I have figured out that the suhosin extension 0.9.20 will not work anymore as there are some issues with it. It’s fine as long as we have 0.9.18. mostly the upcoming version of the extension will be resolved to work fine again so consider to use version 0.9.18 for this until the issues is resolved.

**kelfro** · 11-05-2010

What I believe you desired to do is configure the PHPRC environment variable to the path to the selected .ini file at the VHOST level, that works with PHP in CGI mode.

For example:

DefaultInitEnv PHPRC=/etc/php.ini

So, when in CGI mode you can use the environment variable to pick a php.ini for every website that you want to use. I use PHP with FCGI (FastCGI),that I believe is very same as what SuPHP perform, I personally select it over SuPHP a long time before and never investigated SuPHP.

**Zecho** · 11-05-2010

According to me, you should be work with the suhosin and it would be a better choice as the php function blocker we require to comment out disable_functions in php ini (yeah, enable entire functions) and then configure it in php.ini suhosin.executor.func.blacklist to something as it is :

suhosin.executor.func.blacklist = exec, passthru, shell_exec, system, pcntl_exec, proc_open, proc_nice, proc_terminate, proc_get_status, proc_close, leak, apache_child_terminate, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, escapeshellcmd, escapeshellarg

Like this way, you can add so many functions depends on what you need to have ....

**Praetor** · 12-05-2010

[QUOTE]
I use PHP with FCGI (FastCGI),that I believe is very same as what SuPHP perform, I personally select it over SuPHP a long time before and never investigated SuPHP. [Quote]

Actaully,This is one of " fcgid ", an Apache module that executes PHP
code as CGI scripts at comparable performance to mod_php. The "SuexecUserGroup" suggest what user Apache SUExec runs the user's PHP/cgi scripts as follows -

Code:

# ls -l /var/www/fcgi-bin.d/php-default/
total 4
lrwxrwxrwx 1 root root 16 May 15  2009 php-fcgi-wrapper -> 

/usr/bin/php-cgi
#

    AddHandler php-fcgi .php
    Action php-fcgi /fcgi-bin/php-fcgi-wrapper
    AddType application/x-httpd-php .php
    DefaultInitEnv PHP_FCGI_CHILDREN 6
    DefaultInitEnv PHPRC=/etc/php.ini
    Alias /fcgi-bin/ /var/www/fcgi-bin.d/php-default/
    ####
    MaxRequestsPerProcess 1000
    MaxProcessCount       20
    #IPCCommTimeout        120
    IPCCommTimeout        180
    IdleTimeout           225 
    #### 
    
        SetHandler fcgid-script
        Options +ExecCGI

**Raine** · 13-05-2010

Disabling these three are no issues and quite common for better running Server security such as system, proc_open, shell_exec Disabling these will actually cause issues with so many scripts, but I am not so sure about Zen Cart and/or related Modules: passthru, popen, exec. It is shame the Hoster in query does not just configure up the good Firewall Rules and avoid entire problems with the 'iframe' hack without having to severely limit script properties for their Clients.
ServerName www3.example.com
DocumentRoot /var/www/example
Options +ExecCGI
SuexecUserGroup user5 user5
Action php-fcgi /fcgi-bin/php-fcgi-wrapper
Alias /fcgi-bin/ /var/www/fcgi-bin.d/user5/