Disable functions for a particular user in a PHP-FPM pool

Miguel G

Well-Known Member
Jun 4, 2015
86
0
6
Spain
cPanel Access Level
Root Administrator
Twitter
I have version 68 (latest version)

I am trying to enable exec in a particular php-fpm pool account.

I have followed these instructions from this thread

Code:
vi  /var/cpanel/ApachePHPFPM/system_pool_defaults.yaml

php_admin_value_disable_functions =passthru,shell_exec,system

/scripts/php_fpm_config --rebuild domain=mydomain.com
and when I check with phpinfo I still see in disable_functions the exec function that is disabled server wide.

BTW, is it possible to be even more specific and say only to enable exec for a particular php script?
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,910
2,215
363
Hello @Miguel G,

The entry in your /var/cpanel/ApachePHPFPM/system_pool_defaults.yaml file should look like this instead:

Code:
---
php_admin_value_disable_functions: { name: 'php_admin_value[disable_functions]', value: passthru,exec,shell_exec,system }
Then, if you wanted to enable exec and shell_exec for an individual domain name that's using PHP-FPM, you would modify it's YAML file to look like this:

Code:
# cat /var/cpanel/userdata/username123/domain123.com.php-fpm.yaml
---
_is_present: 1
php_admin_value_disable_functions: { name: 'php_admin_value[disable_functions]', value: passthru,system }
You'd then rebuild the PHP-FPM configuration files and restart the Apache PHP-FPM and Apache services:

Code:
/scripts/php_fpm_config --rebuild
/scripts/restartsrv_apache_php_fpm
/scripts/restartsrv_httpd
However, keep in mind disable_functions works differently compared to the standard PHP values with PHP-FPM. When you define a custom disable_functions value in your PHP-FPM global configuration file or for an individual PHP-FPM pool, it's allowing you to disable additional functions on top of what's already disabled in the global php.ini file. For instance, let's say the following line is configured for PHP version 7.0 from WHM >> MultiPHP INI Editor >> Editor Mode:

Code:
disable_functions = popen,proc_open
If you were to to setup a custom PHP-FPM default value for disable_functions per the example at the top of this post, then the actual disabled functions would include passthru, shell_exec, exec, system, popen, proc_open. Additionally, keep in mind the PHPINFO output on the website will match what you've configured in your custom PHP-FPM configuration file, despite the fact that additional PHP functions are disabled (this is an artifact of how PHP and PHP-FPM work as opposed to how they are implemented with cPanel & WHM).

In summary, while you can add additional entries to the disable_functions PHP value through the use of a custom global PHP-FPM configuration file, and modify individual PHP-FPM pools to differ from that custom value, you can't enable functions that are already disabled in the global php.ini configuration file.

Thank you.
 

Miguel G

Well-Known Member
Jun 4, 2015
86
0
6
Spain
cPanel Access Level
Root Administrator
Twitter
I have to admit that I am quite disappointed here. The threads mentioned in my first message make one to think this was feasible.

Also what is the purpose of selling that PHP-FPM lets you to configure each pool differently when it´s not?
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,910
2,215
363
Hello @Miguel G,

I've updated the post here to note the caveat for the disable_functions PHP option.

Also what is the purpose of selling that PHP-FPM lets you to configure each pool differently when it´s not?
You can in-fact modify an individual domain's PHP-FPM configuration file in order to alter the disable_functions value that's defined in the /var/cpanel/ApachePHPFPM/system_pool_defaults.yaml file. For example:

Code:
# cat /var/cpanel/ApachePHPFPM/system_pool_defaults.yaml
---
php_admin_value_disable_functions: { name: 'php_admin_value[disable_functions]', value: passthru,exec,shell_exec,system }

# cat /var/cpanel/userdata/username123/domain123.com.php-fpm.yaml
---
_is_present: 1
php_admin_value_disable_functions: { name: 'php_admin_value[disable_functions]', value: passthru,system }
In the above example, "exec" and "shell_exec" are disabled functions globally with PHP-FPM, but are enabled for the individual domain name with the custom value in the individual YAML file.

Note that this assumes the default blank value for "disable_functions" is configured for the associated PHP verson in WHM >> MultiPHP INI Editor >> Editor Mode:

Code:
disable_functions =
If "exec" were to be added to the above line for the associated PHP version in WHM >> MultiPHP INI Editor >> Editor Mode, then the behavior noted in my previous response would apply.

Thank you.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,910
2,215
363
Hello @Miguel G,

I'd like to clarify some information to better explain how this works.

You can in-fact modify an individual domain's PHP-FPM configuration file in order to alter the disable_functions value that's defined in the /var/cpanel/ApachePHPFPM/system_pool_defaults.yaml file. For example:

Code:
# cat /var/cpanel/ApachePHPFPM/system_pool_defaults.yaml
---
php_admin_value_disable_functions: { name: 'php_admin_value[disable_functions]', value: passthru,exec,shell_exec,system }

# cat /var/cpanel/userdata/username123/domain123.com.php-fpm.yaml
---
_is_present: 1
php_admin_value_disable_functions: { name: 'php_admin_value[disable_functions]', value: passthru,system }
In the above example, "exec" and "shell_exec" are disabled functions globally with PHP-FPM, but are enabled for the individual domain name with the custom value in the individual YAML file.

Note that this assumes the default blank value for "disable_functions" is configured for the associated PHP verson in WHM >> MultiPHP INI Editor >> Editor Mode:

Code:
disable_functions =
If "exec" were to be added to the above line for the associated PHP version in WHM >> MultiPHP INI Editor >> Editor Mode, then the behavior noted in my previous response would apply.

I've edited the previous post to reflect this information.

Thank you.
 

cyclesam

Registered
Jun 19, 2019
2
0
1
United Kingdom
cPanel Access Level
Root Administrator
I pasted the first line of the code you gave:
cat /var/cpanel/ApachePHPFPM/system_pool_defaults.yaml

and it says:

cat: /var/cpanel/ApachePHPFPM/system_pool_defaults.yaml: No such file or directory

So where am I supposed to enter this code, as it clearly doesn't work on SSH.

Why are all the instructions to do with Cpanel super vague, why is it assumed newbies know where everything is? It's very fustrating.

How can we ever learn if there is no proper process for begginers.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,910
2,215
363
I pasted the first line of the code you gave:
cat /var/cpanel/ApachePHPFPM/system_pool_defaults.yaml

and it says:

cat: /var/cpanel/ApachePHPFPM/system_pool_defaults.yaml: No such file or directory
Hi @cyclesam,

You must create this file if it does not already exist. This is noted under step 4 of the following document:

How to Manage Your php.ini Directives with PHP-FPM - cPanel Knowledge Base - cPanel Documentation

  1. SSH in to the server.
  2. Create the /var/cpanel/ApachePHPFPM directory if it does not already exist.
  3. Create the /system_pool_defaults.yaml file.
EX:

Code:
mkdir /var/cpanel/ApachePHPFPM
touch /var/cpanel/ApachePHPFPM/system_pool_defaults.yaml
Let me know if that helps.

Thank you.