Allow ini_set with Ruid2 + DSO + suEXEC?

Rodrigo Gomes

Well-Known Member
Apr 6, 2016
128
29
78
Brazil
cPanel Access Level
Root Administrator
Hello!

I know this is a very recurring topic on the forum, but I researched a lot before posting.

Currently I see this alert in CSF:
ini_set-csf.png

My clients needs to use ini_set. But it's a shared environment and I can not leave any loophole that will overcome the security.

Of all the research in the forum, I did not find anything that answered my question. Or I did not fully understand.

It's safe to allow ini_set with Ruid2 + DSO + suEXEC?
If not, what worries should I have?

I disabled the following functions in my php.ini:
Code:
disable_functions = show_source, system, shell_exec, passthru, exec, popen, proc_open, symlink
And I do not want anyone to be able to turn those functions on again.
Bearing in mind that someone can compromise the entire system if they have access to these functions.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,219
463
Hello,

This is discussed on the following thread:

disable ini_set, what are the risks?

You may also find this post helpful:

EA4 and securing PHP processes

Also, ensure you make modifications to the global php.ini files via:

"WHM Home » Software » MultiPHP INI Editor"

This will ensure the settings are saved to the correct locations.

Thank you.
 

Rodrigo Gomes

Well-Known Member
Apr 6, 2016
128
29
78
Brazil
cPanel Access Level
Root Administrator
Hello @cPanelMichael,

Sorry for the ignorance on this subject, it's because it makes me very confused.

I read what you sent me, and I had even read it before creating this post and even then I still have questions.

Using ruid2 + DSO I protect the PHP processes, which runs as the user. That way, is it safe to keep ini_set enabled?
If I set disable_functions in "MultiPHP INI Editor" is it impossible for someone to override/disable this rule?

Thank you!
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,219
463
Hello,

The use of DSO/Ruid2 isn't necessarily a protection against ini_set values configured by a user. Most of the discussion on this topic centers around performance issues (e.g. a script enables the use of more resources through a PHP setting). I recommend reviewing the following PHP document to get a better idea of what the ini_set function can do:

PHP: ini_set - Manual

Then, you can review the following documents to see which values are adjustable with ini_set:

PHP: List of php.ini directives - Manual
PHP: Where a configuration setting may be set - Manual

This is ultimately a system administration choice that's up to you. You may want to consult with a qualified system administrator or security expert to determine what would work best for your particular server.

Thank you.
 
  • Like
Reactions: Rodrigo Gomes

Rodrigo Gomes

Well-Known Member
Apr 6, 2016
128
29
78
Brazil
cPanel Access Level
Root Administrator
Hello Michael,

You helped me a lot, as always.

Even security experts need to learn somewhere, right?
I read a lot, did a lot of research and even then I was not able to be absolutely certain of my questions.

I did some testing and I was not able to override the disable_functions with ruid2 + DSO. That's nice! But even so I'm not 100% sure that anyone will not be able to do this.

But that's okay, let's just say that someone can overcome disable_functions:
In this case my client would be able to run binaries using functions like shell_exec, exec. However, as I use Ruid2+DSO on my server,
I assume that my client's binary will run with its own user inside the jailshell protection, right?

Another question: is it safe to allow shell_exec, exec functions with jailshell enabled and Ruid2+DSO?
Or should it at least be considered safe?

Let me know if I'm too paranoid. :s