Best practice php ini_set()

lorio

Well-Known Member
Feb 25, 2004
298
14
168
cPanel Access Level
Root Administrator
To prevent overriding of a hardened php ini config you often disable the ini_set() function in php.

The problem is then that certain WH, scripts will not work correctly.

Is there a workaround or is a feature planed to allow best of both worlds.

Perhaps a php.ini for every account (not inside the homedirectory)?. Or prevent Module Installers PEAR to use ini_set()?

What's your opinion about the risk potential of ini_set()?
Thanks for your time.
 

quizknows

Well-Known Member
Oct 20, 2009
1,008
86
78
cPanel Access Level
DataCenter Provider
I personally disallow ini_set() under disable_functions.

If a user needs custom php.ini, I use SuPHP which allows them to have their own. You could make the php.ini file itself root owned if you're worried about the user editing it.

In this case, what I do is:

copy /usr/local/lib/php.ini to /home/$user/public_html/php.ini

Add this code anywhere inside /home/$user/public_html/.htaccess

Code:
suPHP_ConfigPath /home/$user/public_html 
<Files php.ini> 
order allow,deny 
deny from all 
</Files>
Again, if you leave the new php.ini owned as root, user cannot edit it. If you want to let them edit it, chown it to them. Of course if they really wanted to be mean they could edit their htaccess to specify another configpath, but you could also root own their .htaccess

If you don't use SuPHP, I'm sorry for advice being worthless ;)
 

quizknows

Well-Known Member
Oct 20, 2009
1,008
86
78
cPanel Access Level
DataCenter Provider
Ouch. Forgot about that.

chattr +i php.ini would be in order then, but a little bit overkill and probably not a good solution for a ton of accounts.