How to enable "proc_open" for one user?

Z

zakazak

Verified User
Joined
Dec 20, 2018
Messages
53
Hi there,

on one of my users I have mediawiki installed. Mediawiki need "proc_open" for picture upload and thumbnail creation.
I just checked the custom httpd and php configs in DA-Settings but I can't find anything that has "proc_open" disabled (although it is disabled because mediawiki can't run it).

So I wonder, how can I enable "proc_open" for one specific user only?
 
Normally this is only closed in the php.ini under the line "disable_functions = proc_open" (and some more for security reasons). Which happens automatically if you choose the php safe intallation.

You might try to use a htaccess line in the users public_html (not possible with nginx) or a php.ini depending on which way you're running php.
 
Yep I expected to find "disable_functions" in the php.ini for the specific user but it wasn't in there.
I am using apache but I have no idea how to enable this function in a .htaccess file and I can't believe that it would override the php settings?
 
Yep I expected to find "disable_functions" in the php.ini for the specific user but it wasn't in there.
Click to expand...
It's in the global php.ini at /usr/local/lib like Cpanel can also have it.

The way you are running php (php-cgi or mod_ruid for example) also determines if you would need a user's php.ini or .htaccess if I'm not mistaken. I never allow proc_open.

I'm not sure if a .htaccess can overwrite php.ini global settings, but one can always try.
Since I don't use it, I don't know either, but Googling around gave me some answers like in .htaccess try:
Code: 
php_value disable_functions = ""
This can however not be done with php-cgi. It should be possible with mod_php with mod_ruid, but still I don't know if it will override.

Else maybe someone else has to advise you on how to do it. Probably with a vhost via admin settings.
 
So this in a .htaccess give me a 500 Server error:

php_value disable_functions = "proc_open"
Click to expand...

I would really only want to allow it for one user and not globally.
 
I've been reading some further. Seems it can't be done in .htaccess this way.
Probably only via vhost but I don't know how to do it. Hope somebody else can point it out for you.
 
I could be wrong as I am new as well.. I would check this.

First do you have secure_php set as yes or no?

If yes it overwrites the disable list every time it runs.

Also do you have htscanner set to yes? its for configuing php in htaccess files (if you need to)

Code: 
cd /usr/local/directadmin/custombuild
./build options

In the output is htscanner no?

Also you could just go to

Code: 
cat options.conf


then see what is set.
Code: 
secure_php=yes
htscanner=no

I found this as well https://help.directadmin.com/item.php?id=636
 
Last edited:
bdacus01 said:
I could be wrong as I am new as well.. I would check this.

First do you have secure_php set as yes or no?

If yes it overwrites the disable list every time it runs.

Also do you have htscanner set to yes? its for configuing php in htaccess files (if you need to)

Code: 
cd /usr/local/directadmin/custombuild
./build options

In the output is htscanner no?

Also you could just go to

Code: 
cat options.conf


then see what is set.
Code: 
secure_php=yes
htscanner=no

I found this as well https://help.directadmin.com/item.php?id=636
Click to expand...

Edit: I tried the link you provided but it didn't work. I didn't get an error in DA but proc_open is still disabled as it seems.

Also if relevant, my options.conf:

#PHP Settings
php1_release=7.2
php1_mode=php-fpm
php2_release=5.6
php2_mode=php-fpm
secure_php=yes
opcache=yes
htscanner=no
php_ini=no
php_timezone=Europe/Paris
php_ini_type=production
ioncube=no
zend=no
suhosin=no
x_mail_header=yes

#MySQL Settings
mysql=5.6
mariadb=10.3
mysql_inst=mariadb
mysql_backup=yes
mysql_backup_gzip=no
mysql_backup_dir=/usr/local/directadmin/custombuild/mysql_backups
mysql_force_compile=no

#WEB Server Settings
webserver=apache
http_methods=GET:HEAD:POST
litespeed_serialno=trial
modsecurity=no
modsecurity_ruleset=comodo
apache_ver=2.4
apache_mpm=auto
mod_ruid2=no
userdir_access=yes
harden_symlinks_patch=yes
use_hostname_for_alias=no
redirect_host=censored
redirect_host_https=no

#WEB Applications Settings
phpmyadmin=yes
phpmyadmin_ver=4
squirrelmail=no
roundcube=yes
webapps_inbox_prefix=no

#ClamAV-related Settings
clamav=no
clamav_exim=yes
modsecurity_uploadscan=no
proftpd_uploadscan=no
pureftpd_uploadscan=no
suhosin_php_uploadscan=no

#Mail Settings
exim=yes
eximconf=no
eximconf_release=4.5
blockcracking=no
easy_spam_fighter=no
spamd=no
sa_update=daily
dovecot=yes
dovecot_conf=yes
pigeonhole=no

#FTP Settings
ftpd=pureftpd

#Statistics Settings
awstats=no
webalizer=yes

#CustomBuild Settings
custombuild=2.0
autover=no
bold=yes
clean=yes
cleanapache=yes
clean_old_tarballs=yes
clean_old_webapps=yes
downloadserver=files6.directadmin.com

#Cronjob Settings
cron=yes
cron_frequency=weekly
email=censored
notifications=yes
da_autoupdate=yes
updates=no
webapps_updates=yes

#CloudLinux Settings
cloudlinux=no
cloudlinux_beta=no
cagefs=no

#Advanced Settings
autoconf=yes
automake=yes
libtool=yes
curl=yes
new_pcre=no

php3_release=no
php4_release=no
php3_mode=php-fpm
php4_mode=php-fpm
maildir_compress=no
mail_compress=no
imagick=no
Click to expand...
 
Last edited:
Last edited:
bdacus01 said:
It rewrites all the configs. so if you changed some config you need to run it. OR nothing gets rewritten out.
Click to expand...

Oh that is interesting. So if I change my "custom php-fpm config" it will not take effect until I run "./build rewrite_confs button".
Shouldn't this option also be available in the "CustomBuild Plugin" within DA?
 
zakazak said:
Oh that is interesting. So if I change my "custom php-fpm config" it will not take effect until I run "./build rewrite_confs button".
Shouldn't this option also be available in the "CustomBuild Plugin" within DA?
Click to expand...

It is.. its called Update Software configuration > Rewrite WEB server config

[TABLE="width: 2088"]
[TR="class: table-row"]
[TD="align: left"]Rewrite WEB server configuration files[/TD]
[TD="align: left"]Rewrites Apache/Nginx WEB server configuration files (useful when configuration got corrupted or needs to be updated). WARNING: customizations must be present in 'custom/' folder, otherwise they will be lost.[/TD]
[/TR]
[/TABLE]
 
bdacus01 said:
It is.. its called Update Software configuration > Rewrite WEB server config

[TABLE="width: 2088"]
[TR="class: table-row"]
[TD="align: left"]Rewrite WEB server configuration files[/TD]
[TD="align: left"]Rewrites Apache/Nginx WEB server configuration files (useful when configuration got corrupted or needs to be updated). WARNING: customizations must be present in 'custom/' folder, otherwise they will be lost.[/TD]
[/TR]
[/TABLE]
Click to expand...

Uh the warning worries me though. Does this command overwrite all configs/settings to its stock value?
 
zakazak said:
Uh the warning worries me though. Does this command overwrite all configs/settings to its stock value?
Click to expand...

Always. customization are never to be done in the stock files. They need to be place in the custom areas. like here.. Example help files

https://help.directadmin.com/item.php?id=2

https://help.directadmin.com/item.php?id=3

https://help.directadmin.com/item.php?id=636

If you did all the config settings in the custom areas like you should they wont get over written. I just "regenerates" them.
 
Last edited:
zakazak said:
Oh that is interesting. So if I change my "custom php-fpm config" it will not take effect until I run "./build rewrite_confs button".
Shouldn't this option also be available in the "CustomBuild Plugin" within DA?
Click to expand...

You don't need to do rewrite_confs after changing "Custom HTTPD Configurations", you only need to restart or reload php-fpm. To enable proc_open for only one user, you do this:

In DirectAdmin control panel on admin level you click: "Custom HTTPD Configurations", then search for a domain that is in the user account you want to edit, does not matter wich domain, as long as it is in the user account you want to edit. Then click "(php-fpm 7.2)" to the right of the domain. Then add this in the field "php-fpm 7.2 |CUSTOM2|":

Code: 
php_admin_value[disable_functions]=

This will remove all disable_functions in PHP for that user account. If you only want to remove proc_open, then you have to add the rest of the disable_functions after =

Then restart or reload php-fpm. I think a reload is enough:

Code: 
systemctl reload php-fpm72.service

If it does not work, then do a restart instead.
 
ditto said:
You don't need to do rewrite_confs after changing "Custom HTTPD Configurations", you only need to restart or reload php-fpm. To enable proc_open for only one user, you do this:

In DirectAdmin control panel on admin level you click: "Custom HTTPD Configurations", then search for a domain that is in the user account you want to edit, does not matter wich domain, as long as it is in the user account you want to edit. Then click "(php-fpm 7.2)" to the right of the domain. Then add this in the field "php-fpm 7.2 |CUSTOM2|":

Code: 
php_admin_value[disable_functions]=

This will remove all disable_functions in PHP for that user account. If you only want to remove proc_open, then you have to add the rest of the disable_functions after =

Then restart or reload php-fpm. I think a reload is enough:

Code: 
systemctl reload php-fpm72.service

If it does not work, then do a restart instead.
Click to expand...
Thanks Ditto
 
ditto said:
You don't need to do rewrite_confs after changing "Custom HTTPD Configurations", you only need to restart or reload php-fpm. To enable proc_open for only one user, you do this:

In DirectAdmin control panel on admin level you click: "Custom HTTPD Configurations", then search for a domain that is in the user account you want to edit, does not matter wich domain, as long as it is in the user account you want to edit. Then click "(php-fpm 7.2)" to the right of the domain. Then add this in the field "php-fpm 7.2 |CUSTOM2|":

Code: 
php_admin_value[disable_functions]=

This will remove all disable_functions in PHP for that user account. If you only want to remove proc_open, then you have to add the rest of the disable_functions after =

Then restart or reload php-fpm. I think a reload is enough:

Code: 
systemctl reload php-fpm72.service

If it does not work, then do a restart instead.
Click to expand...

Hey there,
I tried your approach but it still doesn't work.

php-fpm 7.2. Custom2:
php_admin_value[disable_functions] = exec,system,passthru,shell_exec,escapeshellarg,escapeshellcmd,proc_close,dl,popen,show_source,posix_kill,posix_mkfifo,posix_getpwuid,posix_setpgid,posix_setsid,posix_setuid,posix_setgid,posix_seteuid,posix_setegid,posix_uname
Click to expand...

I then reloaded the service.. no change.. I then restarted the server... no change :/

@edit:
I also tried "php_admin_value[disable_functions]=" to enable all functions.. still no change (after a restart of the service) :/
 
Last edited:
zakazak said:
Hey there,
I tried your approach but it still doesn't work.

php-fpm 7.2. Custom2:


I then reloaded the service.. no change.. I then restarted the server... no change :/

@edit:
I also tried "php_admin_value[disable_functions]=" to enable all functions.. still no change (after a restart of the service) :/
Click to expand...

You say you restarted the server, but what do you mean by that? Did you restart Apache or php-fpm72? Please do:

Code: 
systemctl restart php-fpm72.service

If it still does not work, maybe you have more then one PHP version installed, and maybe the site is using another PHP version and not PHP 7.2.x?

Maybe it is more effectiv to open at ticket at tickets.directadmin.com, I am sure they can help you in a short time.
 
You must log in or register to reply here.
Back
Top