How to fix security recommendation from csf firewall?

[Krisauseu]

Hi,

How can I fix this, or better ask - where?

I have added the code to every PHP.ini I could find on my server, but without success:

 

[Richard G]

It's a known bug in CSF. It was only partly fixed.
Before it didn't even know where the correct php.ini files were to be found.

Since a couple of years, it's fixed so now it knows where the php.ini files reside, however, it doesn't seem to be able to detect the disable_functions line, so still throwns this settings check.

If youre php.ini files have the disable_function settings, then you can safely ignore this notice.

 

[Stije]

Check also your custombuild options.

Do you have secure_php set to yes?

 

[Krisauseu]

It was not set, now it is. Thank you.

Regards Kristian

 

[zEitEr]

Another reason the CSF/LFD security does not see the disabled functions is the following. DirectAdmin uses a custom patch, which switches off disable_functions for CLI, and makes it working only for WEB environment.

Check:

php -i | grep disable_functions

and see how it is shown in phpinfo() output, and find a list of disabled function in php.ini:

grep disable_functions /usr/local/php*/lib/php.ini

for example:

# grep disable_functions /usr/local/php*/lib/php.ini
/usr/local/php54/lib/php.ini:disable_functions = exec,system,passthru,shell_exec,proc_close,proc_open,dl,popen,show_source,posix_kill,posix_mkfifo,posix_getpwuid,posix_setpgid,posix_setsid,posix_setuid,posix_setgid,posix_seteuid,posix_setegid,posix_uname
/usr/local/php56/lib/php.ini:disable_functions = exec,system,passthru,shell_exec,proc_close,proc_open,dl,popen,show_source,posix_kill,posix_mkfifo,posix_getpwuid,posix_setpgid,posix_setsid,posix_setuid,posix_setgid,posix_seteuid,posix_setegid,posix_uname
/usr/local/php72/lib/php.ini:disable_functions = exec,system,passthru,shell_exec,proc_close,proc_open,dl,popen,show_source,posix_kill,posix_mkfifo,posix_getpwuid,posix_setpgid,posix_setsid,posix_setuid,posix_setgid,posix_seteuid,posix_setegid,posix_uname
/usr/local/php74/lib/php.ini:disable_functions = exec,system,passthru,shell_exec,proc_close,proc_open,dl,popen,show_source,posix_kill,posix_mkfifo,posix_getpwuid,posix_setpgid,posix_setsid,posix_setuid,posix_setgid,posix_seteuid,posix_setegid,posix_uname
/usr/local/php81/lib/php.ini:disable_functions = exec,system,passthru,shell_exec,proc_close,proc_open,dl,popen,show_source,posix_kill,posix_mkfifo,posix_getpwuid,posix_setpgid,posix_setsid,posix_setuid,posix_setgid,posix_seteuid,posix_setegid,posix_uname
/usr/local/php82/lib/php.ini:disable_functions = exec,system,passthru,shell_exec,proc_close,proc_open,dl,popen,show_source,posix_kill,posix_mkfifo,posix_getpwuid,posix_setpgid,posix_setsid,posix_setuid,posix_setgid,posix_seteuid,posix_setegid,posix_uname

Even if it's a false positive, then it's only half true.

 

[Richard G]

DirectAdmin uses a custom patch, which switches off disable_functions for CLI,

Aha! That was unknown to me, and probably to CSF devs too. So this is the reason that CSF does know the php.ini locations but don't discover correctly, probably because they use the CLI command.

Indeed on my servers:

root@server# php -i | grep disable_functions
disable_functions => no value => no value

In phpinfo() and the php.ini of the various php versions, they all are showing correctly.

 

[Krisauseu]

root@server:~# php -i | grep disable_functions
disable_functions => no value => no value
root@server:~# grep disable_functions /usr/local/php*/lib/php.ini
disable_functions = exec,system,passthru,shell_exec,proc_close,proc_open,dl,popen,show_source,posix_kill,posix_mkfifo,posix_getpwuid,posix_setpgid,posix_setsid,posix_setuid,posix_setgid,posix_seteuid,posix_setegid,posix_uname
root@server:~#

 

[Richard G]

Looks same as mine @Krisauseu so working correctly.