So you blank out the main disable_functions in php.ini?
Does that way protect the CLI of php? if you do it like #8?
@Zhenyapan @Erulezz @jamgames2
Maybe you all put a how to together on this. I have never done it this way so it might be interesting to have this documented.
Yes, i don’t use the option in the main php.ini file. Experienced a lot of issues when i first started using it. Tried it with separate ini files per user but that quickly became very messy.
- When secure_php is enabled in options.conf, it adds the functions in php.ini. You can
add functions to this list with the php-fpm config for every different user, but
not overwrite it. So if the
mail function is in php.ini, you can’t re-enable it with per user php-fpm configs.
That’s why i just use the method described in post #8 or #18 with
php_admin_value. Works great in my use case. I can enable/disable every php function depending on the user or application. Almost every dangerous function is disabled for WordPress for example. For applications that i trust (Laravel for example) and that actually need those functions i enable it.
The only disabled function i have in php.ini is
mail().
if you have 500 users on the server then yes maybe this is not the best way to do it.
PHP CLI ignores the disabled_functions anyway.
