Disable functions for a particular user in a PHP-FPM pool

[Miguel G]

I have version 68 (latest version)

I am trying to enable exec in a particular php-fpm pool account.

I have followed these instructions from this thread

vi  /var/cpanel/ApachePHPFPM/system_pool_defaults.yaml

php_admin_value_disable_functions =passthru,shell_exec,system

/scripts/php_fpm_config --rebuild domain=mydomain.com

and when I check with phpinfo I still see in disable_functions the exec function that is disabled server wide.

BTW, is it possible to be even more specific and say only to enable exec for a particular php script?

 

[cPanelMichael]

Hello @Miguel G,

The entry in your /var/cpanel/ApachePHPFPM/system_pool_defaults.yaml file should look like this instead:

---
php_admin_value_disable_functions: { name: 'php_admin_value[disable_functions]', value: passthru,exec,shell_exec,system }

Then, if you wanted to enable exec and shell_exec for an individual domain name that's using PHP-FPM, you would modify it's YAML file to look like this:

# cat /var/cpanel/userdata/username123/domain123.com.php-fpm.yaml
---
_is_present: 1
php_admin_value_disable_functions: { name: 'php_admin_value[disable_functions]', value: passthru,system }

You'd then rebuild the PHP-FPM configuration files and restart the Apache PHP-FPM and Apache services:

/scripts/php_fpm_config --rebuild
/scripts/restartsrv_apache_php_fpm
/scripts/restartsrv_httpd

However, keep in mind disable_functions works differently compared to the standard PHP values with PHP-FPM. When you define a custom disable_functions value in your PHP-FPM global configuration file or for an individual PHP-FPM pool, it's allowing you to disable additional functions on top of what's already disabled in the global php.ini file. For instance, let's say the following line is configured for PHP version 7.0 from WHM >> MultiPHP INI Editor >> Editor Mode:

disable_functions = popen,proc_open

If you were to to setup a custom PHP-FPM default value for disable_functions per the example at the top of this post, then the actual disabled functions would include passthru, shell_exec, exec, system, popen, proc_open. Additionally, keep in mind the PHPINFO output on the website will match what you've configured in your custom PHP-FPM configuration file, despite the fact that additional PHP functions are disabled (this is an artifact of how PHP and PHP-FPM work as opposed to how they are implemented with cPanel & WHM).

In summary, while you can add additional entries to the disable_functions PHP value through the use of a custom global PHP-FPM configuration file, and modify individual PHP-FPM pools to differ from that custom value, you can't enable functions that are already disabled in the global php.ini configuration file.

Thank you.

 

[Miguel G]

I have to admit that I am quite disappointed here. The threads mentioned in my first message make one to think this was feasible.

Also what is the purpose of selling that PHP-FPM lets you to configure each pool differently when it´s not?

 

[cPanelMichael]

Hello @Miguel G,

I've updated the post here to note the caveat for the disable_functions PHP option.

Also what is the purpose of selling that PHP-FPM lets you to configure each pool differently when it´s not?

You can in-fact modify an individual domain's PHP-FPM configuration file in order to alter the disable_functions value that's defined in the /var/cpanel/ApachePHPFPM/system_pool_defaults.yaml file. For example:

# cat /var/cpanel/ApachePHPFPM/system_pool_defaults.yaml
---
php_admin_value_disable_functions: { name: 'php_admin_value[disable_functions]', value: passthru,exec,shell_exec,system }

# cat /var/cpanel/userdata/username123/domain123.com.php-fpm.yaml
---
_is_present: 1
php_admin_value_disable_functions: { name: 'php_admin_value[disable_functions]', value: passthru,system }

In the above example, "exec" and "shell_exec" are disabled functions globally with PHP-FPM, but are enabled for the individual domain name with the custom value in the individual YAML file.

Note that this assumes the default blank value for "disable_functions" is configured for the associated PHP verson in WHM >> MultiPHP INI Editor >> Editor Mode:

disable_functions =

If "exec" were to be added to the above line for the associated PHP version in WHM >> MultiPHP INI Editor >> Editor Mode, then the behavior noted in my previous response would apply.

Thank you.

 

[cPanelMichael]

Hello @Miguel G,

I'd like to clarify some information to better explain how this works.

You can in-fact modify an individual domain's PHP-FPM configuration file in order to alter the disable_functions value that's defined in the /var/cpanel/ApachePHPFPM/system_pool_defaults.yaml file. For example:

# cat /var/cpanel/ApachePHPFPM/system_pool_defaults.yaml
---
php_admin_value_disable_functions: { name: 'php_admin_value[disable_functions]', value: passthru,exec,shell_exec,system }

# cat /var/cpanel/userdata/username123/domain123.com.php-fpm.yaml
---
_is_present: 1
php_admin_value_disable_functions: { name: 'php_admin_value[disable_functions]', value: passthru,system }

In the above example, "exec" and "shell_exec" are disabled functions globally with PHP-FPM, but are enabled for the individual domain name with the custom value in the individual YAML file.

Note that this assumes the default blank value for "disable_functions" is configured for the associated PHP verson in WHM >> MultiPHP INI Editor >> Editor Mode:

disable_functions =

If "exec" were to be added to the above line for the associated PHP version in WHM >> MultiPHP INI Editor >> Editor Mode, then the behavior noted in my previous response would apply.

I've edited the previous post to reflect this information.

Thank you.

 

[cyclesam]

I pasted the first line of the code you gave:
cat /var/cpanel/ApachePHPFPM/system_pool_defaults.yaml

and it says:

cat: /var/cpanel/ApachePHPFPM/system_pool_defaults.yaml: No such file or directory

So where am I supposed to enter this code, as it clearly doesn't work on SSH.

Why are all the instructions to do with Cpanel super vague, why is it assumed newbies know where everything is? It's very fustrating.

How can we ever learn if there is no proper process for begginers.

 

[cPanelMichael]

I pasted the first line of the code you gave:
cat /var/cpanel/ApachePHPFPM/system_pool_defaults.yaml

and it says:

cat: /var/cpanel/ApachePHPFPM/system_pool_defaults.yaml: No such file or directory

Hi @cyclesam,

You must create this file if it does not already exist. This is noted under step 4 of the following document:

How to Manage Your php.ini Directives with PHP-FPM - cPanel Knowledge Base - cPanel Documentation

1. SSH in to the server.
2. Create the /var/cpanel/ApachePHPFPM directory if it does not already exist.
3. Create the /system_pool_defaults.yaml file.

EX:

mkdir /var/cpanel/ApachePHPFPM
touch /var/cpanel/ApachePHPFPM/system_pool_defaults.yaml

Let me know if that helps.

Thank you.