Disable_functions via custom_httpd

[Zhenyapan]

Hello,

Default PHP 7.1 (cli)
I try to allow shell_exec by removing it from disable_functions.
When I redeclare disable_functions via Custom Httpd like:
php_admin_value disable_functions "exec,system,passthru,proc_close,dl,popen,show_source,posix_kill,posix_mkfifo,posix_getpwuid,posix_setpgid,posix_setsid,posix_setuid,posix_setgid,posix_seteuid,posix_setegid,posix_uname"
It shows applied in PHPINFO output in local value, while in main php.ini and in global value still:
"exec,system,passthru,shell_exec,proc_close,dl,popen,show_source,posix_kill,posix_mkfifo,posix_getpwuid,posix_setpgid,posix_setsid,posix_setuid,posix_setgid,posix_seteuid,posix_setegid,posix_uname"
and shell_exec didn't work while I change disable_functions in main php.ini (global value in phpinfo).
Where i need to dig?

 

[smtalk]

disable_functions cannot be re-defined per-vhost. It's possible to overwrite php.ini completely when PHP process is running separately (for example, FastCGI), in other cases - it's global

PHP: Description of core php.ini directives - Manual

www.php.net

disable_functions

""

PHP_INI_SYSTEM only

 

[Zhenyapan]

It's pity.
Thank you.

 

[zEitEr]

Hello,

You can move disable_functions into PHP-FPM config, which is managed on per user bases. For this you need to:

1. configure PHP cli to use a different php.ini, e.g. php-cli.ini where you have disable_functions for cli
2. configure PHP-FPM to use a different php-ini, e.g. php-fpm.ini, where you have NO disable_functions for PHP-FPM
3. add disable_functions=|PHP_DISABLE_FUNCTION| into PHP-FPM template, with a token definition

|?PHP_DISABLE_FUNCTION=...|

....

disable_functions=|PHP_DISABLE_FUNCTION|

4. change/update PHP_DISABLE_FUNCTION on per user bases.


That's still on per user bases, and if you have all the domains under 1 user, it won't help you.