Disable functions for a particular user in a PHP-FPM pool

Hello @Miguel G,

The entry in your /var/cpanel/ApachePHPFPM/system_pool_defaults.yaml file should look like this instead:

Code:

---
php_admin_value_disable_functions: { name: 'php_admin_value[disable_functions]', value: passthru,exec,shell_exec,system }

Then, if you wanted to enable exec and shell_exec for an individual domain name that's using PHP-FPM, you would modify it's YAML file to look like this:

Code:

# cat /var/cpanel/userdata/username123/domain123.com.php-fpm.yaml
---
_is_present: 1
php_admin_value_disable_functions: { name: 'php_admin_value[disable_functions]', value: passthru,system }

You'd then rebuild the PHP-FPM configuration files and restart the Apache PHP-FPM and Apache services:

Code:

/scripts/php_fpm_config --rebuild
/scripts/restartsrv_apache_php_fpm
/scripts/restartsrv_httpd

However, keep in mind disable_functions works differently compared to the standard PHP values with PHP-FPM. When you define a custom disable_functions value in your PHP-FPM global configuration file or for an individual PHP-FPM pool, it's allowing you to disable additional functions on top of what's already disabled in the global php.ini file. For instance, let's say the following line is configured for PHP version 7.0 from WHM >> MultiPHP INI Editor >> Editor Mode:

Code:

disable_functions = popen,proc_open

If you were to to setup a custom PHP-FPM default value for disable_functions per the example at the top of this post, then the actual disabled functions would include passthru, shell_exec, exec, system, popen, proc_open. Additionally, keep in mind the PHPINFO output on the website will match what you've configured in your custom PHP-FPM configuration file, despite the fact that additional PHP functions are disabled (this is an artifact of how PHP and PHP-FPM work as opposed to how they are implemented with cPanel & WHM).

In summary, while you can add additional entries to the disable_functions PHP value through the use of a custom global PHP-FPM configuration file, and modify individual PHP-FPM pools to differ from that custom value, you can't enable functions that are already disabled in the global php.ini configuration file.

Thank you.

 

Hello @Miguel G,

I've updated the post here to note the caveat for the disable_functions PHP option.

You can in-fact modify an individual domain's PHP-FPM configuration file in order to alter the disable_functions value that's defined in the /var/cpanel/ApachePHPFPM/system_pool_defaults.yaml file. For example:

Code:

# cat /var/cpanel/ApachePHPFPM/system_pool_defaults.yaml
---
php_admin_value_disable_functions: { name: 'php_admin_value[disable_functions]', value: passthru,exec,shell_exec,system }

# cat /var/cpanel/userdata/username123/domain123.com.php-fpm.yaml
---
_is_present: 1
php_admin_value_disable_functions: { name: 'php_admin_value[disable_functions]', value: passthru,system }

In the above example, "exec" and "shell_exec" are disabled functions globally with PHP-FPM, but are enabled for the individual domain name with the custom value in the individual YAML file.

Note that this assumes the default blank value for "disable_functions" is configured for the associated PHP verson in WHM >> MultiPHP INI Editor >> Editor Mode:

Code:

disable_functions =

If "exec" were to be added to the above line for the associated PHP version in WHM >> MultiPHP INI Editor >> Editor Mode, then the behavior noted in my previous response would apply.

Thank you.

 

Hello @Miguel G,

I'd like to clarify some information to better explain how this works.

You can in-fact modify an individual domain's PHP-FPM configuration file in order to alter the disable_functions value that's defined in the /var/cpanel/ApachePHPFPM/system_pool_defaults.yaml file. For example:

Code:

# cat /var/cpanel/ApachePHPFPM/system_pool_defaults.yaml
---
php_admin_value_disable_functions: { name: 'php_admin_value[disable_functions]', value: passthru,exec,shell_exec,system }

# cat /var/cpanel/userdata/username123/domain123.com.php-fpm.yaml
---
_is_present: 1
php_admin_value_disable_functions: { name: 'php_admin_value[disable_functions]', value: passthru,system }

In the above example, "exec" and "shell_exec" are disabled functions globally with PHP-FPM, but are enabled for the individual domain name with the custom value in the individual YAML file.

Note that this assumes the default blank value for "disable_functions" is configured for the associated PHP verson in WHM >> MultiPHP INI Editor >> Editor Mode:

Code:

disable_functions =

If "exec" were to be added to the above line for the associated PHP version in WHM >> MultiPHP INI Editor >> Editor Mode, then the behavior noted in my previous response would apply.

I've edited the previous post to reflect this information.

Thank you.