Security PHP Defaults, with override a possibility

sdrawkcab

Verified User
Joined
Aug 18, 2009
Messages
26
Hello,

I am looking to make some changes to the master php.ini to disable the following functions by default, however am needing advice on how to set this up so that users can override them on an as-needed basis. Wether it's me making the changes as needed to a root-owned php.ini file in each user's directory, and overriding the following parameters less the one function which is needed, or wether it is allowing .htaccess overrides. I would appreciate some advice as in researching this general topic out on google I am getting mixed advice through found results.

Functions I want to disable, and only enable on an as needed basis:

disable_functions =
"passthru,system,proc_open,popen,curl_multi_exec,parse_ini_file,show_source,dl,pclose,proc_nice,proc_terminate,proc_get_status,proc_close,leak,apache_child_terminate,shell-exec,exec,crack_check,crack_closedict,crack_getlastmessage,crack_opendict,psockopen,php_u,symlink,ini_restore,posix_getpwuid,system,pfsockopen,readfile,escapeshellarg,escapeshellcmd,proc_close,ini_alter,parse_ini_file,pcntl_exec,posix_kill,posix_mkfifo,posix_setpgid,posix_setsid,posix_setuid,copy,curl_exec,tempnam,shell_exec"
 

sdrawkcab

Verified User
Joined
Aug 18, 2009
Messages
26
If I put them in my master php.ini, I do not seem to be able to override them with .htaccess or php.ini in any of the user's directories.

So I am either able to block them with the master php.ini, or not at all. How can I allow users to override it if I use the master php.ini to disable functions by default?
 

localhost

Verified User
Joined
Aug 17, 2007
Messages
164
Location
Moldova
That is not possbile.
The only way you can add them via php_admin value in httpd user's config file.
 

sdrawkcab

Verified User
Joined
Aug 18, 2009
Messages
26
One one of the cPanel servers I use, it is setup so that in the master php.ini such functions are disabled. However, users can create a php.ini in the same directory as a php script which they wish to use (containing a function they want to re-enable), and override which functions are disabled. They just re-define the disabled functions, omitting the ones they want to re-enable, and it works.

I have used it, and done it, and seen the master php.ini

Any thoughts?
 

floyd

Verified User
Joined
Mar 29, 2005
Messages
5,330
Wouldn't that defeat the purpose of disabling them in the master php.ini file? If you are going to allow users to enable those functions themselves then there is no security.
 

sdrawkcab

Verified User
Joined
Aug 18, 2009
Messages
26
Sure, that's debatable. But I'm not here to debate it. I just want to know technically how it is possible, as I've seen it done. If you have insights as to how it's done, or how it could be done then I'd love to hear it.

P.S. when it's done, it's done by staff, and the ownership of the file is set to root:root. Not sure if the setup is configured to only look for php.ini's owned by root:root or not.
 

floyd

Verified User
Joined
Mar 29, 2005
Messages
5,330
P.S. when it's done, it's done by staff, and the ownership of the file is set to root:root. Not sure if the setup is configured to only look for php.ini's owned by root:root or not.
That is different than what you said before.

sdrawkcab said:
However, users can create a php.ini

sdrawkcab said:
Sure, that's debatable. But I'm not here to debate it. I just want to know technically how it is possible
I am not here to debate it either. My point in saying it is that I did not think the php developers would be that stupid to include such as way of doing that and therefore do not think it is technically possible.

You are going to have to compare your old set up with what you have now.

I know users can have their own php.ini when suphp is used and php run as a cgi. Maybe your new setup is running php as a module. I still think it would be horrible for php developers to allow users to override security measures and therefore hope that you are wrong in that it is indeed possible.

If it is possible I want to know its done so I know how to never let that happen.
 

nobaloney

NoBaloney Internet Svcs - In Memoriam †
Joined
Jun 16, 2003
Messages
26,119
Location
California
Maybe your new setup is running php as a module.
I haven't read anything official on the subject. That said: I'd hope that eventually PHP as a module will either became deprecated or impossible, so we'll all have to become more secure.

Jeff
 
Top