Limit "disable_functions" for one user/domain?

Richard G

Richard G

Verified User
Joined
Jul 6, 2008
Messages
13,443
Location
Maastricht
I would like to keep our servers a bit safe so we for example a line like this:
Code: 
disable_functions = system,popen,shell_exec,exec,dl,passthru,escapeshellarg,escapeshellcmd,proc_close,proc_open,show_source

Now for one user or 1 domain, I would like to remove some of these, but I'm not sure if this is the correct way to do it.

I found this:

Looking at the last line. Does this also work reversed, so instead of -adding- something, can something also be -removed- this way?

Suppose when I want to remove popen, exec, escapeshellarg and proc_open from this line, would it work like this:
Code: 
php_admin_value[disable_functions] = system,shell_exec,dl,passthru,escapeshellcmd,proc_close,show_source
and put this code in the custom2 block?
Or does this trick only work for adding things to this line.

Additionaly, do we still need those 4 things for security, so should we keep them in there anyway? I hear more people saying it doesn't do a lot anymore, and for Xenforo they like this enabled.
 
You can’t overwrite (remove) functions from disable_functions defined in your php.ini, only add more per user.

As an alternative you leave disable_functions empty in php.ini and add it for every user, so you can allow some functions for specific users. But if you have a lot of users that’s not really easy to manage
 
Alex has this

How to customize PHP disable_functions in DirectAdmin

The directive "disable_functions" allows to disable certain functions. It takes on a comma-delimited list of function names. DirectAdmin uses the directive for security purposes, and here is a way how to customise it.
help.poralix.com help.poralix.com

I have the ones in the CSF "check security tool"
exec, system, passthru, shell_exec, proc_close, proc_open, show_source
 
Thank you both. So in fact, it's not possible what I want.

@bdacus01 That link is only to change the "build secure_php" option.
CSF indeed checks them.

However, Xenforo likes them enabled. Some even required to use the php mail function of the forum. There are also ways around them for hackers according to a Xenforo dev.
So that's why I was wondering how insecure they would be nowadays with php-fpm.
As Xenforo is growing more and more, then more customers will want this enabled.
 
Richard G said:
disable_functions
Click to expand...
is ./build secure_php

CustomBuild 2.0 FAQ (DirectAdmin 1.46 or later is recommended)

CustomBuild 2.0 plugin to control CustomBuild from DirectAdmin UI: http://forum.directadmin.com/showthread.php?t=48989 1. What is custombuild? Custombuild is a tool, which can install/update: Apache AWstats Autoconf Automake ClamAV cURL Dovecot Exim configuration files FreeType GD htscanner...
forum.directadmin.com forum.directadmin.com

23. Is it possible to make PHP more secure using the CustomBuild script?
Yes, it is. You need to run "./build secure_php". At the moment it disables some dangerous PHP functions as:
Code:
exec, system, passthru, shell_exec, escapeshellarg, escapeshellcmd, proc_close, proc_open, dl, popen, show_source

Yes best I understand is you can only add as per user not take away like in the
I found this:
https://help.directadmin.com/item.php?id=636
 
bdacus01 said:
is ./build secure_php
Click to expand...
Yes I know. But this implements some defaults. What you were pointing to at Poralix is only to change those defaults. So that's why I said it's to "change the ./build secure_php option".

I don't really understand what you are trying to explain in your reply?

The last link you pointed to, is the same one I am pointing to in my initial question, so that was already found. ;)
 
Richard G said:
disable_functions = system,popen,shell_exec,exec,dl,passthru,escapeshellarg,escapeshellcmd,proc_close,proc_open,show_source
Click to expand...
so let's say you had this set in the server globally
at the user level you could only add more to the list like
Richard G said:
disable_functions = system,popen,shell_exec,exec,dl,passthru,escapeshellarg,escapeshellcmd,proc_close,proc_open,show_source,brent,mail
Click to expand...
This would keep all the global items out and me and mail on the user domain level in custom 2.

you cant take away if you put in at the user level
Richard G said:
disable_functions = system,popen,shell_exec,exec,dl,passthru,escapeshellarg
Click to expand...
the global would still block
escapeshellcmd,proc_close,proc_open,show_source
Click to expand...
as well. you can only add to not take away.
 
bdacus01 said:
This would keep all the global items out and me and mail on the user domain level in custom 2
Click to expand...
Take out? I don't understand this expression. I presume you mean that it will keep all global items and add you and mail. That's what it says and that's how I understood it.

bdacus01 said:
you can only add to not take away.
Click to expand...
Thank you but I understood that already.
See the first line of my reply #4.

I was only still wondering about the insecurity of things if they were enabled globally due to more customers using Xenforo would probably going to ask this at more hosters.
 
The more you add in the list the more secure it is because they are disabled meaning they can’t be used or exploited.
Good/secure/disabled
disable_functions =system,popen,shell_exec,exec,dl,passthru,escapeshellarg,escapeshellcmd,proc_close,proc_open,show_source

if you had no entries disabled it means those entries or functions are all available for use and not secured.
Bad/insecure/not disabled
disable_functions =

take out = remove entries
 
LoL, I think you're not understanding what I mean. I know how it works. :)

In general, more people are saying that popen, exec and 2 others are not that necessary anymore in disabled_functions and don't really add to security anymore because they can be bypassed anyway.
So I'm wondering how others think about that.

Even better, I found the thread, have a look at this:
xenforo.com

Various disable function_warnings, why?

I've read over the forums and I'm about to buy my Xenforo, however, I'm not really comfortable with this: 1. Your server has disabled a core PHP function exec via the disable_functions directive in php.ini. This may cause unexpected problems in XenForo. 2. Your server has disabled a core PHP...
xenforo.com xenforo.com
especially the ansers in post #2 and #6 which are from a moderator and a dev.
 
I assume you're using PHP-FPM?

You would have to set the disable_function directive in the php.ini file to an empty set. Any function listed in the php.ini file for this directive is disabled entirely, set it stone, and cannot be re-enabled.

Then set each php-fpm pool to include a:

Code: 
php_admin_value[disable_functions] = ...

list of disabled functions, then add/remove from that directive for that specific pool.

Not sure if DirectAdmin's php-fpm pool system has a template that it uses where you can define all of this. My own systems deviate a bit from the DirectAdmin's bible of doing this. I use a different system and a series of post account hooks to define all of this. You may need to look at scripting something on a hookable event (after account creation) to set this accordingly.

If this is an already running system, then you may have to loop through all users or all php-fpm pools and add a disable_function php_admin_value to each of those pools.
 
sparek said:
list of disabled functions, then add/remove from that directive for that specific pool.
Click to expand...
That might be an idea indeed.

This is indeed an already running system, and I was looking for an easy solution without having to customize all users or all php-fpm pools. Which isn't possible unfortunately.

So I think I will just leave it as is for the moment.
But thank you for the idea.
 
Richard G said:
So I'm wondering how others think about that.
Click to expand...
I haven't seen and documentation from Security experts that say "you dont need them"

I get what the DEV guy said but he is a dev not a security person. Sure when someone owns the box that's a issue. I dont leave the keys to my car on the hood either. Just because I know someone could break in and hot wire it.. Their goal is to sell software.

Just because there are documented ways around something doesnt mean you dont do it.
 
bdacus01 said:
Just because there are documented ways around something doesnt mean you dont do it.
Click to expand...
Exactly my thougt too. However when Googling on the internet I found more comments on some of the options, that they can't be abused anyway when for example the host is using mod_ruid2 or php-fpm.
 
So it is currently not possible to disable certain PHP functions as a user (not admin)? I have been trying to add following lines (with/without spaces and quotation marks):
disable_functions="popen,shell_exec"
php_admin_value[disable_functions] = system,shell_exec,dl,passthru,escapeshellcmd,proc_close,show_source
Click to expand...

into a .user.ini and when I run a php file with:
echo 'disable_functions: ' . ini_get('disable_functions') . "<br />";
Click to expand...

then it does not show any functions as disabled. Here seems to be the same unanswered question: https://stackoverflow.com/questions/77769081/how-to-append-disable-funtions-in-user-ini
 
As far as I know it's still not possible.

There was this suggestion:
Zhenyapan

Post in thread 'Possible to make exception to PHP's disable_function list for specific user?'

@bdacus01 @peps03 @Richard G
there are easier way: "custom httpd" -> "php-fpm" -> "php-fpm Global custom2" or "php-fpm VER_number"
and there add line like:
php_admin_value[disable_functions] = mail, fileinfo
wait 1 min till php-fpm restart via cron and check phpinfo.
  • Like
but further in the thread it was said it wasn't possible when it was present in the global php.ini file.
 
You can do it via the VHOST. But you need to run PHP-FPM. Then you can just move it to the vhost and can set it up per user.

Like this:

zEitEr

Post in thread 'Disable_functions via custom_httpd'

Hello,

You can move disable_functions into PHP-FPM config, which is managed on per user bases. For this you need to:

1. configure PHP cli to use a different php.ini, e.g. php-cli.ini where you have disable_functions for cli
2. configure PHP-FPM to use a different php-ini, e.g. php-fpm.ini, where you have NO disable_functions for PHP-FPM
3. add disable_functions=|PHP_DISABLE_FUNCTION| into PHP-FPM template, with a token definition

Code: 
|?PHP_DISABLE_FUNCTION=...|

....

disable_functions=|PHP_DISABLE_FUNCTION|

4. change/update PHP_DISABLE_FUNCTION on per user bases.


That's still on...
 
You must log in or register to reply here.
Back
Top