Security PHP Defaults, with override a possibility

S

sdrawkcab

Verified User
Joined
Aug 18, 2009
Messages
26
Hello,

I am looking to make some changes to the master php.ini to disable the following functions by default, however am needing advice on how to set this up so that users can override them on an as-needed basis. Wether it's me making the changes as needed to a root-owned php.ini file in each user's directory, and overriding the following parameters less the one function which is needed, or wether it is allowing .htaccess overrides. I would appreciate some advice as in researching this general topic out on google I am getting mixed advice through found results.

Functions I want to disable, and only enable on an as needed basis:

disable_functions =
"passthru,system,proc_open,popen,curl_multi_exec,parse_ini_file,show_source,dl,pclose,proc_nice,proc_terminate,proc_get_status,proc_close,leak,apache_child_terminate,shell-exec,exec,crack_check,crack_closedict,crack_getlastmessage,crack_opendict,psockopen,php_u,symlink,ini_restore,posix_getpwuid,system,pfsockopen,readfile,escapeshellarg,escapeshellcmd,proc_close,ini_alter,parse_ini_file,pcntl_exec,posix_kill,posix_mkfifo,posix_setpgid,posix_setsid,posix_setuid,copy,curl_exec,tempnam,shell_exec"
 
If I put them in my master php.ini, I do not seem to be able to override them with .htaccess or php.ini in any of the user's directories.

So I am either able to block them with the master php.ini, or not at all. How can I allow users to override it if I use the master php.ini to disable functions by default?
 
That is not possbile.
The only way you can add them via php_admin value in httpd user's config file.
 
One one of the cPanel servers I use, it is setup so that in the master php.ini such functions are disabled. However, users can create a php.ini in the same directory as a php script which they wish to use (containing a function they want to re-enable), and override which functions are disabled. They just re-define the disabled functions, omitting the ones they want to re-enable, and it works.

I have used it, and done it, and seen the master php.ini

Any thoughts?
 
Wouldn't that defeat the purpose of disabling them in the master php.ini file? If you are going to allow users to enable those functions themselves then there is no security.
 
Sure, that's debatable. But I'm not here to debate it. I just want to know technically how it is possible, as I've seen it done. If you have insights as to how it's done, or how it could be done then I'd love to hear it.

P.S. when it's done, it's done by staff, and the ownership of the file is set to root:root. Not sure if the setup is configured to only look for php.ini's owned by root:root or not.
 
sdrawkcab said:
P.S. when it's done, it's done by staff, and the ownership of the file is set to root:root. Not sure if the setup is configured to only look for php.ini's owned by root:root or not.
Click to expand...

That is different than what you said before.

sdrawkcab said:
However, users can create a php.ini
Click to expand...


sdrawkcab said:
Sure, that's debatable. But I'm not here to debate it. I just want to know technically how it is possible
Click to expand...

I am not here to debate it either. My point in saying it is that I did not think the php developers would be that stupid to include such as way of doing that and therefore do not think it is technically possible.

You are going to have to compare your old set up with what you have now.

I know users can have their own php.ini when suphp is used and php run as a cgi. Maybe your new setup is running php as a module. I still think it would be horrible for php developers to allow users to override security measures and therefore hope that you are wrong in that it is indeed possible.

If it is possible I want to know its done so I know how to never let that happen.
 
floyd said:
Maybe your new setup is running php as a module.
Click to expand...
I haven't read anything official on the subject. That said: I'd hope that eventually PHP as a module will either became deprecated or impossible, so we'll all have to become more secure.

Jeff
 
You must log in or register to reply here.
Back
Top