How to enable "proc_open" for one user?

zakazak

Verified User
Joined
Dec 20, 2018
Messages
34
Hi there,

on one of my users I have mediawiki installed. Mediawiki need "proc_open" for picture upload and thumbnail creation.
I just checked the custom httpd and php configs in DA-Settings but I can't find anything that has "proc_open" disabled (although it is disabled because mediawiki can't run it).

So I wonder, how can I enable "proc_open" for one specific user only?
 
Normally this is only closed in the php.ini under the line "disable_functions = proc_open" (and some more for security reasons). Which happens automatically if you choose the php safe intallation.

You might try to use a htaccess line in the users public_html (not possible with nginx) or a php.ini depending on which way you're running php.
 
Yep I expected to find "disable_functions" in the php.ini for the specific user but it wasn't in there.
I am using apache but I have no idea how to enable this function in a .htaccess file and I can't believe that it would override the php settings?
 
Yep I expected to find "disable_functions" in the php.ini for the specific user but it wasn't in there.
It's in the global php.ini at /usr/local/lib like Cpanel can also have it.

The way you are running php (php-cgi or mod_ruid for example) also determines if you would need a user's php.ini or .htaccess if I'm not mistaken. I never allow proc_open.

I'm not sure if a .htaccess can overwrite php.ini global settings, but one can always try.
Since I don't use it, I don't know either, but Googling around gave me some answers like in .htaccess try:
Code:
php_value disable_functions = ""
This can however not be done with php-cgi. It should be possible with mod_php with mod_ruid, but still I don't know if it will override.

Else maybe someone else has to advise you on how to do it. Probably with a vhost via admin settings.
 
So this in a .htaccess give me a 500 Server error:

php_value disable_functions = "proc_open"

I would really only want to allow it for one user and not globally.
 
I've been reading some further. Seems it can't be done in .htaccess this way.
Probably only via vhost but I don't know how to do it. Hope somebody else can point it out for you.
 
I could be wrong as I am new as well.. I would check this.

First do you have secure_php set as yes or no?

If yes it overwrites the disable list every time it runs.

Also do you have htscanner set to yes? its for configuing php in htaccess files (if you need to)

Code:
cd /usr/local/directadmin/custombuild
./build options

In the output is htscanner no?

Also you could just go to

Code:
cat options.conf


then see what is set.
Code:
secure_php=yes
htscanner=no

I found this as well https://help.directadmin.com/item.php?id=636
 
Last edited:
I could be wrong as I am new as well.. I would check this.

First do you have secure_php set as yes or no?

If yes it overwrites the disable list every time it runs.

Also do you have htscanner set to yes? its for configuing php in htaccess files (if you need to)

Code:
cd /usr/local/directadmin/custombuild
./build options

In the output is htscanner no?

Also you could just go to

Code:
cat options.conf


then see what is set.
Code:
secure_php=yes
htscanner=no

I found this as well https://help.directadmin.com/item.php?id=636

Edit: I tried the link you provided but it didn't work. I didn't get an error in DA but proc_open is still disabled as it seems.

Also if relevant, my options.conf:

#PHP Settings
php1_release=7.2
php1_mode=php-fpm
php2_release=5.6
php2_mode=php-fpm
secure_php=yes
opcache=yes
htscanner=no
php_ini=no
php_timezone=Europe/Paris
php_ini_type=production
ioncube=no
zend=no
suhosin=no
x_mail_header=yes

#MySQL Settings
mysql=5.6
mariadb=10.3
mysql_inst=mariadb
mysql_backup=yes
mysql_backup_gzip=no
mysql_backup_dir=/usr/local/directadmin/custombuild/mysql_backups
mysql_force_compile=no

#WEB Server Settings
webserver=apache
http_methods=GET:HEAD:pOST
litespeed_serialno=trial
modsecurity=no
modsecurity_ruleset=comodo
apache_ver=2.4
apache_mpm=auto
mod_ruid2=no
userdir_access=yes
harden_symlinks_patch=yes
use_hostname_for_alias=no
redirect_host=censored
redirect_host_https=no

#WEB Applications Settings
phpmyadmin=yes
phpmyadmin_ver=4
squirrelmail=no
roundcube=yes
webapps_inbox_prefix=no

#ClamAV-related Settings
clamav=no
clamav_exim=yes
modsecurity_uploadscan=no
proftpd_uploadscan=no
pureftpd_uploadscan=no
suhosin_php_uploadscan=no

#Mail Settings
exim=yes
eximconf=no
eximconf_release=4.5
blockcracking=no
easy_spam_fighter=no
spamd=no
sa_update=daily
dovecot=yes
dovecot_conf=yes
pigeonhole=no

#FTP Settings
ftpd=pureftpd

#Statistics Settings
awstats=no
webalizer=yes

#CustomBuild Settings
custombuild=2.0
autover=no
bold=yes
clean=yes
cleanapache=yes
clean_old_tarballs=yes
clean_old_webapps=yes
downloadserver=files6.directadmin.com

#Cronjob Settings
cron=yes
cron_frequency=weekly
email=censored
notifications=yes
da_autoupdate=yes
updates=no
webapps_updates=yes

#CloudLinux Settings
cloudlinux=no
cloudlinux_beta=no
cagefs=no

#Advanced Settings
autoconf=yes
automake=yes
libtool=yes
curl=yes
new_pcre=no

php3_release=no
php4_release=no
php3_mode=php-fpm
php4_mode=php-fpm
maildir_compress=no
mail_compress=no
imagick=no
 
Last edited:
Last edited:
It rewrites all the configs. so if you changed some config you need to run it. OR nothing gets rewritten out.

Oh that is interesting. So if I change my "custom php-fpm config" it will not take effect until I run "./build rewrite_confs button".
Shouldn't this option also be available in the "CustomBuild Plugin" within DA?
 
Oh that is interesting. So if I change my "custom php-fpm config" it will not take effect until I run "./build rewrite_confs button".
Shouldn't this option also be available in the "CustomBuild Plugin" within DA?

It is.. its called Update Software configuration > Rewrite WEB server config

Rewrite WEB server configuration filesRewrites Apache/Nginx WEB server configuration files (useful when configuration got corrupted or needs to be updated). WARNING: customizations must be present in 'custom/' folder, otherwise they will be lost.
 
It is.. its called Update Software configuration > Rewrite WEB server config

Rewrite WEB server configuration filesRewrites Apache/Nginx WEB server configuration files (useful when configuration got corrupted or needs to be updated). WARNING: customizations must be present in 'custom/' folder, otherwise they will be lost.

Uh the warning worries me though. Does this command overwrite all configs/settings to its stock value?
 
Uh the warning worries me though. Does this command overwrite all configs/settings to its stock value?

Always. customization are never to be done in the stock files. They need to be place in the custom areas. like here.. Example help files

https://help.directadmin.com/item.php?id=2

https://help.directadmin.com/item.php?id=3

https://help.directadmin.com/item.php?id=636

If you did all the config settings in the custom areas like you should they wont get over written. I just "regenerates" them.
 
Last edited:
Oh that is interesting. So if I change my "custom php-fpm config" it will not take effect until I run "./build rewrite_confs button".
Shouldn't this option also be available in the "CustomBuild Plugin" within DA?

You don't need to do rewrite_confs after changing "Custom HTTPD Configurations", you only need to restart or reload php-fpm. To enable proc_open for only one user, you do this:

In DirectAdmin control panel on admin level you click: "Custom HTTPD Configurations", then search for a domain that is in the user account you want to edit, does not matter wich domain, as long as it is in the user account you want to edit. Then click "(php-fpm 7.2)" to the right of the domain. Then add this in the field "php-fpm 7.2 |CUSTOM2|":

Code:
php_admin_value[disable_functions]=

This will remove all disable_functions in PHP for that user account. If you only want to remove proc_open, then you have to add the rest of the disable_functions after =

Then restart or reload php-fpm. I think a reload is enough:

Code:
systemctl reload php-fpm72.service

If it does not work, then do a restart instead.
 
You don't need to do rewrite_confs after changing "Custom HTTPD Configurations", you only need to restart or reload php-fpm. To enable proc_open for only one user, you do this:

In DirectAdmin control panel on admin level you click: "Custom HTTPD Configurations", then search for a domain that is in the user account you want to edit, does not matter wich domain, as long as it is in the user account you want to edit. Then click "(php-fpm 7.2)" to the right of the domain. Then add this in the field "php-fpm 7.2 |CUSTOM2|":

Code:
php_admin_value[disable_functions]=

This will remove all disable_functions in PHP for that user account. If you only want to remove proc_open, then you have to add the rest of the disable_functions after =

Then restart or reload php-fpm. I think a reload is enough:

Code:
systemctl reload php-fpm72.service

If it does not work, then do a restart instead.
Thanks Ditto
 
You don't need to do rewrite_confs after changing "Custom HTTPD Configurations", you only need to restart or reload php-fpm. To enable proc_open for only one user, you do this:

In DirectAdmin control panel on admin level you click: "Custom HTTPD Configurations", then search for a domain that is in the user account you want to edit, does not matter wich domain, as long as it is in the user account you want to edit. Then click "(php-fpm 7.2)" to the right of the domain. Then add this in the field "php-fpm 7.2 |CUSTOM2|":

Code:
php_admin_value[disable_functions]=

This will remove all disable_functions in PHP for that user account. If you only want to remove proc_open, then you have to add the rest of the disable_functions after =

Then restart or reload php-fpm. I think a reload is enough:

Code:
systemctl reload php-fpm72.service

If it does not work, then do a restart instead.

Hey there,
I tried your approach but it still doesn't work.

php-fpm 7.2. Custom2:
php_admin_value[disable_functions] = exec,system,passthru,shell_exec,escapeshellarg,escapeshellcmd,proc_close,dl,popen,show_source,posix_kill,posix_mkfifo,posix_getpwuid,posix_setpgid,posix_setsid,posix_setuid,posix_setgid,posix_seteuid,posix_setegid,posix_uname

I then reloaded the service.. no change.. I then restarted the server... no change :/

@edit:
I also tried "php_admin_value[disable_functions]=" to enable all functions.. still no change (after a restart of the service) :/
 
Last edited:
Hey there,
I tried your approach but it still doesn't work.

php-fpm 7.2. Custom2:


I then reloaded the service.. no change.. I then restarted the server... no change :/

@edit:
I also tried "php_admin_value[disable_functions]=" to enable all functions.. still no change (after a restart of the service) :/

You say you restarted the server, but what do you mean by that? Did you restart Apache or php-fpm72? Please do:

Code:
systemctl restart php-fpm72.service

If it still does not work, maybe you have more then one PHP version installed, and maybe the site is using another PHP version and not PHP 7.2.x?

Maybe it is more effectiv to open at ticket at tickets.directadmin.com, I am sure they can help you in a short time.
 
Back
Top