Selective PHP security per user

CanadaGuy

Verified User
Joined
Nov 14, 2019
Messages
158
A mechanism is needed to be able to lock down PHP completely for some users, while opening it up for "trusted" users.
 

CanadaGuy

Verified User
Joined
Nov 14, 2019
Messages
158
What do you mean by "lock down" and "opening" in regards for PHP configurations?

It is possible to have per-user php.ini settings. Check here:

I don't think those mechanisms allow you to override the "disable_functions setting" which is applied with the CB 2.0 "secure_php" option, which seems to be a global setting. php-fpm conf gives the appearance of an override, but it doesn't seem to take effect. That is my primary issue at the moment, and is what people still have issues with as per these threads:


 

CanadaGuy

Verified User
Joined
Nov 14, 2019
Messages
158
disable_functions directive is controlled by php.ini
Right, so from that, then perhaps the process described here could be implemented?:


If you want proc_open enabled for a particular user, then you have to remove proc_open from the php.ini file, then add it to all of the disabled_functions php_admin_value directive for all of the php-fpm pools. Then remove it from the disabled_functions php_admin_value for the pool that you want it enabled on.
I'm just looking for way to make php-fpm "secure_php" better than ON or OFF, to better manage users with a reasonable justification to use those functions. Personally, I think it would be nice if the frameworks themselves were designed to better match shared hosting situations, but maybe both sides need to meet in the middle somewhere.
 
  • Like
Reactions: Sab
Top