The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Best practice php ini_set()

Discussion in 'Security' started by lorio, Oct 22, 2013.

  1. lorio

    lorio Well-Known Member

    Joined:
    Feb 25, 2004
    Messages:
    243
    Likes Received:
    3
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    To prevent overriding of a hardened php ini config you often disable the ini_set() function in php.

    The problem is then that certain WH, scripts will not work correctly.

    Is there a workaround or is a feature planed to allow best of both worlds.

    Perhaps a php.ini for every account (not inside the homedirectory)?. Or prevent Module Installers PEAR to use ini_set()?

    What's your opinion about the risk potential of ini_set()?
    Thanks for your time.
     
  2. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    942
    Likes Received:
    57
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    I personally disallow ini_set() under disable_functions.

    If a user needs custom php.ini, I use SuPHP which allows them to have their own. You could make the php.ini file itself root owned if you're worried about the user editing it.

    In this case, what I do is:

    copy /usr/local/lib/php.ini to /home/$user/public_html/php.ini

    Add this code anywhere inside /home/$user/public_html/.htaccess

    Code:
    suPHP_ConfigPath /home/$user/public_html 
    <Files php.ini> 
    order allow,deny 
    deny from all 
    </Files>
    
    Again, if you leave the new php.ini owned as root, user cannot edit it. If you want to let them edit it, chown it to them. Of course if they really wanted to be mean they could edit their htaccess to specify another configpath, but you could also root own their .htaccess

    If you don't use SuPHP, I'm sorry for advice being worthless ;)
     
  3. quietFinn

    quietFinn Well-Known Member

    Joined:
    Feb 4, 2006
    Messages:
    998
    Likes Received:
    10
    Trophy Points:
    18
    Location:
    Finland
    cPanel Access Level:
    Root Administrator
    But they can delete it, and then create their own php.ini, which they can edit.
     
  4. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    942
    Likes Received:
    57
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    Ouch. Forgot about that.

    chattr +i php.ini would be in order then, but a little bit overkill and probably not a good solution for a ton of accounts.
     
  5. niceboy

    niceboy Active Member

    Joined:
    Sep 29, 2011
    Messages:
    39
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
Loading...

Share This Page