overwrite disable_function for an user

S

santovito

Verified User
Joined
Nov 23, 2008
Messages
144
Hi everyone,

I've this problem:

in /usr/local/php55/lib/php.ini I've this parameter:

=========
disable_functions = ini_restore, sscanf, popen, pclose, system, exec, shell_exec, suExec, dl, passthru, pclose, proc_open, proc_nice, proc_terminate, proc_get_status, proc_close, pfsockopen, leak, apache_child_terminate, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, escapeshellcmd, escapeshellarg
=========

If I wanted to enable exec function (for example) for a specific user and I edit this parameter into php-fpm 5.5.conf of this user

========
disable_functions = ini_restore, sscanf, popen, pclose, system, shell_exec, suExec, dl, passthru, pclose, proc_open, proc_nice, proc_terminate, proc_get_status, proc_close, pfsockopen, leak, apache_child_terminate, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, escapeshellcmd, escapeshellarg
========

phpinfo() view the edited and in disable_function don't result the exec function, but if I use exec function in php script there is still this error:

Warning: exec() has been disabled for security reasons in


Can I fix this problem?
 
Hello,

For PHP-FPM you can use /usr/local/directadmin/data/users/<username>/php/php-fpm55.conf for customizing it. Restart of PHP-FPM is required.
Or use /usr/local/directadmin/data/users/<username>/php/<domainname>.ini for PHP-FastCGI
 
zEitEr said:
Hello,

For PHP-FPM you can use /usr/local/directadmin/data/users/<username>/php/php-fpm55.conf for customizing it. Restart of PHP-FPM is required.
Click to expand...

This is the problem :) I’ve used this file for overwrite. But if I type phpinfo() it's correct (exec is enable) but the function is still disabled

I never had this problem for another server. This problem can depend on Suhosin?
 
Hi,

sorry for my late.

For example, if I wanted to enable the function sscanf () I do:

- check phpinfo and see sscanf() are disabled (pre_edit.jpg file attachment)

- add line "php_admin_value[disable_functions] = ini_restore, popen, pclose, system, exec, shell_exec, suExec, dl, passthru, pclose, proc_open, proc_nice, proc_terminate, proc_get_status, proc_close, pfsockopen, leak, apache_child_terminate, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, escapeshellcmd, escapeshellarg" in "|CUSTOM2|" in CMD_CUSTOM_HTTPD?user=username&php-fpm=5.5

- check phpinfo and see sscanf() are enabled (post_edit.jpg file attachment)

- in website are still error (error.jpg file attachment)

If I edit /usr/local/php55/lib/php.ini sscanf() function was enabled successfully.

Any Idea?
 

Attachments

  • error.jpg
    error.jpg
    15 KB · Views: 135
  • post_edit.jpg
    post_edit.jpg
    176.9 KB · Views: 223
  • pre_edit.jpg
    pre_edit.jpg
    157.5 KB · Views: 167
I've type

systemctl restart nginx.service
systemctl restart httpd.service
systemctl restart php-fpm55.service

but problem there is still
 
Did you find a solution for this? I tried the same with:

Code: 
php_admin_value[disable_functions] =

But it didn't work. With phpinfo() it shows that there aren't any disabled functions, but is it still not working. Apparently you can't overwrite this value, only in php.ini:

http://php.net/manual/en/ini.list.php

For now i have a workaround by just copying the default php.ini, put in in the users homedir and run php scripts with php -c /path/to/phpini.

// I am trying to implement the first method described here;

https://forum.directadmin.com/showthread.php?t=46855

But that isn't working either. :(
 
Last edited:
try this:

at the end of your server php.ini file add:

[PATH=/home/[COLOR="#FF0000"]username[/COLOR]]
disable_functions = what you want!
 
Thanks for the suggestion but that also doesn't work with php-fpm. :(

I ended up with ignoring the disable_functions in the main php.ini file and in DirectAdmin -> Custom Httpd configs -> php configs i placed this in the users that needs to have the functions disabled:

php_admin_value[disable_functions] = funcs here

I tested it with multiple functions and that works great. Much more configurable to do so per user than to have it in the main .ini file. Also this can't be changed in the application because of the php_admin_value.

If anyone has a better solution please post it. :)
 
I follow these but I still can not disable exec function.

I add these functions to the DA custom domain HTTPD settings -> php-fpm.conf (7.3)

php_admin_value[disable_functions] = ini_restore, popen, pclose, system, shell_exec, suExec, dl, passthru, pclose, proc_open, proc_nice, proc_terminate, proc_get_status, proc_close, pfsockopen, leak, apache_child_terminate, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, escapeshellcmd, escapeshellarg

Restart php-fpm73 service and still get the the error "exec() has been disabled for security reasons" on the domain.

How can we allow exec function ?

Code: 
# ./build options
Apache: 2.4.41
mod_ruid2: no
ModSecurity: 2.9.3
ModSecurity Rule Set: comodo
htscanner: no
Dovecot: 2.3.9.2
Dovecot configuration: yes
AWstats: no
Exim: 4.93.0.4
exim.conf update: yes, release 4.5
BlockCracking: yes
Easy Spam Fighter: yes
Rspamd: 1.8.1
ClamAV: no
MySQL: 5.7.27
MySQL backup: yes
MySQL backup directory: /usr/local/directadmin/custombuild/mysql_backups
MySQL compress backups: no
PHP (default): 7.3 as php-fpm
PHP (additional): 7.2 as php-fpm
phpMyAdmin: 4.9.4-all-languages
ProFTPD: no
Pure-FTPd: 1.0.49
RoundCube webmail: 1.4.2
Replace "php.ini" with './build all' and './build php_ini': no
Cron for notifications and (or) updates: yes
Cron frequency: daily
Auto notifications: yes
Auto notifications email address: [email protected]
Run "clean" every time: yes
Run "clean_old_webapps" every time: yes
Run "clean_old_tarballs" every time: yes
Show texts in bold: yes
SquirrelMail: no
Zend Guard Loader: no
ionCube loader: no
Suhosin: no
 
Is it still listed in the main php.ini? You can add extra disabled functions on user level, but you can't 'remove' the ones listed in the main php.ini.
 
Basically I just want to offer my user they can change/update their option as they want BTW I am using PHP with lsphp it will work ? Or I have to change something else ?
 
@hosters.pk
I don't know about lsphp
but in php-fpm you can custom php flag like

(Template in "directadmin/data/template/custom/php-fpm.conf"
Code: 
php_admin_flag[sp.allow_broken_configuration] = off
php_admin_value[sp.configuration_file]        = /usr/local/directadmin/data/users/{user01}/snufflepagas.conf
This need custom plugins for let user edit config.
I don't recomment to give full edit user config and don't put config inside thier home_dir.
Ensure file exists otherwise will throw error.

I use only for seperate between some user with my purpose.
 
jamgames2 said:
@hosters.pk
I don't know about lsphp
but in php-fpm you can custom php flag like

(Template in "directadmin/data/template/custom/php-fpm.conf"
Code: 
php_admin_flag[sp.allow_broken_configuration] = off
php_admin_value[sp.configuration_file]        = /usr/local/directadmin/data/users/{user01}/snufflepagas.conf
This need custom plugins for let user edit config.
I don't recomment to give full edit user config and don't put config inside thier home_dir.
Ensure file exists otherwise will throw error.

I use only for seperate between some user with my purpose.
Click to expand...
hey thank you for your support

which custom plugin you are talking about ? Can i have simple step-by-step guide to setup for my users now days people have to modify for their WordPress theme and other scripts so no one can relay on our restrictions, i will be thankful to you :)
 
You must log in or register to reply here.
Back
Top