Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Disable functions for a particular user in a PHP-FPM pool

Discussion in 'Security' started by Miguel G, Jun 26, 2018.

Tags:
  1. Miguel G

    Miguel G Well-Known Member

    Joined:
    Jun 4, 2015
    Messages:
    73
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Spain
    cPanel Access Level:
    Root Administrator
    Twitter:
    I have version 68 (latest version)

    I am trying to enable exec in a particular php-fpm pool account.

    I have followed these instructions from this thread

    Code:
    vi  /var/cpanel/ApachePHPFPM/system_pool_defaults.yaml
    
    php_admin_value_disable_functions =passthru,shell_exec,system
    
    /scripts/php_fpm_config --rebuild domain=mydomain.com
    and when I check with phpinfo I still see in disable_functions the exec function that is disabled server wide.

    BTW, is it possible to be even more specific and say only to enable exec for a particular php script?
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    43,870
    Likes Received:
    1,811
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello @Miguel G,

    The entry in your /var/cpanel/ApachePHPFPM/system_pool_defaults.yaml file should look like this instead:

    Code:
    ---
    php_admin_value_disable_functions: { name: 'php_admin_value[disable_functions]', value: passthru,exec,shell_exec,system }
    Then, if you wanted to enable exec and shell_exec for an individual domain name that's using PHP-FPM, you would modify it's YAML file to look like this:

    Code:
    # cat /var/cpanel/userdata/username123/domain123.com.php-fpm.yaml
    ---
    _is_present: 1
    php_admin_value_disable_functions: { name: 'php_admin_value[disable_functions]', value: passthru,system }
    You'd then rebuild the PHP-FPM configuration files and restart the Apache PHP-FPM and Apache services:

    Code:
    /scripts/php_fpm_config --rebuild
    /scripts/restartsrv_apache_php_fpm
    /scripts/restartsrv_httpd
    However, keep in mind disable_functions works differently compared to the standard PHP values with PHP-FPM. When you define a custom disable_functions value in your PHP-FPM global configuration file or for an individual PHP-FPM pool, it's allowing you to disable additional functions on top of what's already disabled in the global php.ini file. For instance, let's say the following line is configured for PHP version 7.0 from WHM >> MultiPHP INI Editor >> Editor Mode:

    Code:
    disable_functions = popen,proc_open
    If you were to to setup a custom PHP-FPM default value for disable_functions per the example at the top of this post, then the actual disabled functions would include passthru, shell_exec, exec, system, popen, proc_open. Additionally, keep in mind the PHPINFO output on the website will match what you've configured in your custom PHP-FPM configuration file, despite the fact that additional PHP functions are disabled (this is an artifact of how PHP and PHP-FPM work as opposed to how they are implemented with cPanel & WHM).

    In summary, while you can add additional entries to the disable_functions PHP value through the use of a custom global PHP-FPM configuration file, and modify individual PHP-FPM pools to differ from that custom value, you can't enable functions that are already disabled in the global php.ini configuration file.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. Miguel G

    Miguel G Well-Known Member

    Joined:
    Jun 4, 2015
    Messages:
    73
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Spain
    cPanel Access Level:
    Root Administrator
    Twitter:
    I have to admit that I am quite disappointed here. The threads mentioned in my first message make one to think this was feasible.

    Also what is the purpose of selling that PHP-FPM lets you to configure each pool differently when it´s not?
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    43,870
    Likes Received:
    1,811
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello @Miguel G,

    I've updated the post here to note the caveat for the disable_functions PHP option.

    You can in-fact modify an individual domain's PHP-FPM configuration file in order to alter the disable_functions value that's defined in the /var/cpanel/ApachePHPFPM/system_pool_defaults.yaml file. For example:

    Code:
    # cat /var/cpanel/ApachePHPFPM/system_pool_defaults.yaml
    ---
    php_admin_value_disable_functions: { name: 'php_admin_value[disable_functions]', value: passthru,exec,shell_exec,system }
    
    # cat /var/cpanel/userdata/username123/domain123.com.php-fpm.yaml
    ---
    _is_present: 1
    php_admin_value_disable_functions: { name: 'php_admin_value[disable_functions]', value: passthru,system }
    In the above example, "exec" and "shell_exec" are disabled functions globally with PHP-FPM, but are enabled for the individual domain name with the custom value in the individual YAML file.

    Note that this assumes the default blank value for "disable_functions" is configured for the associated PHP verson in WHM >> MultiPHP INI Editor >> Editor Mode:

    Code:
    disable_functions =
    If "exec" were to be added to the above line for the associated PHP version in WHM >> MultiPHP INI Editor >> Editor Mode, then the behavior noted in my previous response would apply.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    43,870
    Likes Received:
    1,811
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello @Miguel G,

    I'd like to clarify some information to better explain how this works.

    You can in-fact modify an individual domain's PHP-FPM configuration file in order to alter the disable_functions value that's defined in the /var/cpanel/ApachePHPFPM/system_pool_defaults.yaml file. For example:

    Code:
    # cat /var/cpanel/ApachePHPFPM/system_pool_defaults.yaml
    ---
    php_admin_value_disable_functions: { name: 'php_admin_value[disable_functions]', value: passthru,exec,shell_exec,system }
    
    # cat /var/cpanel/userdata/username123/domain123.com.php-fpm.yaml
    ---
    _is_present: 1
    php_admin_value_disable_functions: { name: 'php_admin_value[disable_functions]', value: passthru,system }
    In the above example, "exec" and "shell_exec" are disabled functions globally with PHP-FPM, but are enabled for the individual domain name with the custom value in the individual YAML file.

    Note that this assumes the default blank value for "disable_functions" is configured for the associated PHP verson in WHM >> MultiPHP INI Editor >> Editor Mode:

    Code:
    disable_functions =
    If "exec" were to be added to the above line for the associated PHP version in WHM >> MultiPHP INI Editor >> Editor Mode, then the behavior noted in my previous response would apply.

    I've edited the previous post to reflect this information.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice