Best practice php ini_set()

[lorio]

To prevent overriding of a hardened php ini config you often disable the ini_set() function in php.

The problem is then that certain WH, scripts will not work correctly.

Is there a workaround or is a feature planed to allow best of both worlds.

Perhaps a php.ini for every account (not inside the homedirectory)?. Or prevent Module Installers PEAR to use ini_set()?

What's your opinion about the risk potential of ini_set()?
Thanks for your time.

 

[quizknows]

I personally disallow ini_set() under disable_functions.

If a user needs custom php.ini, I use SuPHP which allows them to have their own. You could make the php.ini file itself root owned if you're worried about the user editing it.

In this case, what I do is:

copy /usr/local/lib/php.ini to /home/$user/public_html/php.ini

Add this code anywhere inside /home/$user/public_html/.htaccess

suPHP_ConfigPath /home/$user/public_html 
<Files php.ini> 
order allow,deny 
deny from all 
</Files>

Again, if you leave the new php.ini owned as root, user cannot edit it. If you want to let them edit it, chown it to them. Of course if they really wanted to be mean they could edit their htaccess to specify another configpath, but you could also root own their .htaccess

If you don't use SuPHP, I'm sorry for advice being worthless

 

[quietFinn]

Again, if you leave the new php.ini owned as root, user cannot edit it.

But they can delete it, and then create their own php.ini, which they can edit.

 

[quizknows]

Ouch. Forgot about that.

chattr +i php.ini would be in order then, but a little bit overkill and probably not a good solution for a ton of accounts.

 

[niceboy]

I use php ini manager and it works fine until now(with suphp).. PHP.ini Manager - How2 Solutions

 

[cPanelMichael]

Hello

The following thread should be useful to you:

Methods to increase security with suPHP

Thank you.