ini_set() disabled but error with pear

jonium

Verified User
Joined
Nov 10, 2010
Messages
129
Location
Alezio - Lecce- Apulia - South Italy
Hello,
I recently migrated some hostings from an old debian box with DA to a Centos one with DA, CB 2.0 plugin, suhosin, mod_php (5.5), mod_ruid2.
It seems that pear libs do not work because of this error:
PHP Warning: ini_set() has been disabled for security reasons in /usr/local/lib/php/pearcmd.php on line 31
I'd wish to left ini_set disabled for security, is there a way to fix it?

Thanks
 
Last edited:

scsi

Verified User
Joined
Aug 19, 2008
Messages
4,695
Why do you think you need to disable ini set? enable it again.
 

jonium

Verified User
Joined
Nov 10, 2010
Messages
129
Location
Alezio - Lecce- Apulia - South Italy
Hello scsi,
following the instructions in the firewall check of CSF/LFD I went in php.ini and uncomment the raw of disable functions but in that raw there are more functions that in the CSF-LFD instructions... :eek:

Thanks
 

jonium

Verified User
Joined
Nov 10, 2010
Messages
129
Location
Alezio - Lecce- Apulia - South Italy
after removing ini_set from the disabled functions I re-run the firewall check and get:
Check php for ini_set disabled
You should consider adding ini_set to the disable_functions in the PHP configuration as this setting allows PHP scripts to override global security and performance settings for PHP scripts. Adding ini_set can break PHP scripts and commenting out any use of ini_set in such scripts is advised
... :confused:
It's a shared hosting server.
 

Bujail

Verified User
Joined
Apr 1, 2015
Messages
8
ini_set() disabled in phpmyadmin

this is an issue that I am interested.
thank you for sharing information.
I have the same problem. Did you found any solution for this? If yes, can you share it please?
I am using CB 2.0 .
 

zmippie

Verified User
Joined
Apr 19, 2015
Messages
142
I think some of CSF/LFD's security advice can sometimes be a bit off. On my box it's complaining about a missing Apache binary, hence I'm getting a lower security score. I only have NGINX as a web server, so yes, there is no Apache binary. Is that a security risk? CSF/LFD also likes to look into the wrong Dovecot config at /etc/dovecot.conf (which I think shouldn't be there in the first place, but CustomBuild seems to put it back) to conclude that the cipher suite isn't strong enough. I wonder if it drills down the real (split) Dovecot config, but that's easy to test of course.
 
Last edited:
Top