overwrite disable_function for an user

santovito

Verified User
Joined
Nov 23, 2008
Messages
137
Hi everyone,

I've this problem:

in /usr/local/php55/lib/php.ini I've this parameter:

=========
disable_functions = ini_restore, sscanf, popen, pclose, system, exec, shell_exec, suExec, dl, passthru, pclose, proc_open, proc_nice, proc_terminate, proc_get_status, proc_close, pfsockopen, leak, apache_child_terminate, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, escapeshellcmd, escapeshellarg
=========

If I wanted to enable exec function (for example) for a specific user and I edit this parameter into php-fpm 5.5.conf of this user

========
disable_functions = ini_restore, sscanf, popen, pclose, system, shell_exec, suExec, dl, passthru, pclose, proc_open, proc_nice, proc_terminate, proc_get_status, proc_close, pfsockopen, leak, apache_child_terminate, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, escapeshellcmd, escapeshellarg
========

phpinfo() view the edited and in disable_function don't result the exec function, but if I use exec function in php script there is still this error:

Warning: exec() has been disabled for security reasons in


Can I fix this problem?
 

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
14,255
Location
GMT +7.00
Hello,

For PHP-FPM you can use /usr/local/directadmin/data/users/<username>/php/php-fpm55.conf for customizing it. Restart of PHP-FPM is required.
Or use /usr/local/directadmin/data/users/<username>/php/<domainname>.ini for PHP-FastCGI
 

santovito

Verified User
Joined
Nov 23, 2008
Messages
137
Hello,

For PHP-FPM you can use /usr/local/directadmin/data/users/<username>/php/php-fpm55.conf for customizing it. Restart of PHP-FPM is required.
This is the problem :) I’ve used this file for overwrite. But if I type phpinfo() it's correct (exec is enable) but the function is still disabled

I never had this problem for another server. This problem can depend on Suhosin?
 

santovito

Verified User
Joined
Nov 23, 2008
Messages
137
Hi,

sorry for my late.

For example, if I wanted to enable the function sscanf () I do:

- check phpinfo and see sscanf() are disabled (pre_edit.jpg file attachment)

- add line "php_admin_value[disable_functions] = ini_restore, popen, pclose, system, exec, shell_exec, suExec, dl, passthru, pclose, proc_open, proc_nice, proc_terminate, proc_get_status, proc_close, pfsockopen, leak, apache_child_terminate, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, escapeshellcmd, escapeshellarg" in "|CUSTOM2|" in CMD_CUSTOM_HTTPD?user=username&php-fpm=5.5

- check phpinfo and see sscanf() are enabled (post_edit.jpg file attachment)

- in website are still error (error.jpg file attachment)

If I edit /usr/local/php55/lib/php.ini sscanf() function was enabled successfully.

Any Idea?
 

Attachments

santovito

Verified User
Joined
Nov 23, 2008
Messages
137
I've type

systemctl restart nginx.service
systemctl restart httpd.service
systemctl restart php-fpm55.service

but problem there is still
 

Erulezz

Verified User
Joined
Sep 14, 2015
Messages
438
Location
Arnhem, NL
Did you find a solution for this? I tried the same with:

Code:
php_admin_value[disable_functions] =
But it didn't work. With phpinfo() it shows that there aren't any disabled functions, but is it still not working. Apparently you can't overwrite this value, only in php.ini:

http://php.net/manual/en/ini.list.php

For now i have a workaround by just copying the default php.ini, put in in the users homedir and run php scripts with php -c /path/to/phpini.

// I am trying to implement the first method described here;

https://forum.directadmin.com/showthread.php?t=46855

But that isn't working either. :(
 
Last edited:

shivahost

Verified User
Joined
Mar 7, 2013
Messages
209
try this:

at the end of your server php.ini file add:

[PATH=/home/[COLOR="#FF0000"]username[/COLOR]]
disable_functions = what you want!
 

Erulezz

Verified User
Joined
Sep 14, 2015
Messages
438
Location
Arnhem, NL
Thanks for the suggestion but that also doesn't work with php-fpm. :(

I ended up with ignoring the disable_functions in the main php.ini file and in DirectAdmin -> Custom Httpd configs -> php configs i placed this in the users that needs to have the functions disabled:

php_admin_value[disable_functions] = funcs here

I tested it with multiple functions and that works great. Much more configurable to do so per user than to have it in the main .ini file. Also this can't be changed in the application because of the php_admin_value.

If anyone has a better solution please post it. :)
 

crenet

Verified User
Joined
Sep 23, 2019
Messages
114
I follow these but I still can not disable exec function.

I add these functions to the DA custom domain HTTPD settings -> php-fpm.conf (7.3)

php_admin_value[disable_functions] = ini_restore, popen, pclose, system, shell_exec, suExec, dl, passthru, pclose, proc_open, proc_nice, proc_terminate, proc_get_status, proc_close, pfsockopen, leak, apache_child_terminate, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, escapeshellcmd, escapeshellarg

Restart php-fpm73 service and still get the the error "exec() has been disabled for security reasons" on the domain.

How can we allow exec function ?

Code:
# ./build options
Apache: 2.4.41
mod_ruid2: no
ModSecurity: 2.9.3
ModSecurity Rule Set: comodo
htscanner: no
Dovecot: 2.3.9.2
Dovecot configuration: yes
AWstats: no
Exim: 4.93.0.4
exim.conf update: yes, release 4.5
BlockCracking: yes
Easy Spam Fighter: yes
Rspamd: 1.8.1
ClamAV: no
MySQL: 5.7.27
MySQL backup: yes
MySQL backup directory: /usr/local/directadmin/custombuild/mysql_backups
MySQL compress backups: no
PHP (default): 7.3 as php-fpm
PHP (additional): 7.2 as php-fpm
phpMyAdmin: 4.9.4-all-languages
ProFTPD: no
Pure-FTPd: 1.0.49
RoundCube webmail: 1.4.2
Replace "php.ini" with './build all' and './build php_ini': no
Cron for notifications and (or) updates: yes
Cron frequency: daily
Auto notifications: yes
Auto notifications email address: email@domain.com
Run "clean" every time: yes
Run "clean_old_webapps" every time: yes
Run "clean_old_tarballs" every time: yes
Show texts in bold: yes
SquirrelMail: no
Zend Guard Loader: no
ionCube loader: no
Suhosin: no
 

Nickske00

Verified User
Joined
Nov 30, 2015
Messages
28
Is it still listed in the main php.ini? You can add extra disabled functions on user level, but you can't 'remove' the ones listed in the main php.ini.
 
Top