disable ini_set, what are the risks?

bgarrant

Well-Known Member
Jun 27, 2012
78
10
8
cPanel Access Level
Root Administrator
I have a shared hosting server using latest cPanel. Works great but we have had ini_set enabled for years until now. It was recommended in several forums and by CSF to disable ini_set, but when we do it some sites have issues. I wish there was a safe way to just enable on a per site basis but I have not found one. Allowing a custom php.ini is also disabled for security.

So my question is what damage can ini_set really do on a shared host using suPHP? Is there any way to just allow ini_set on a few sites without allowing php.ini files pet site? Allowing php.ini seems like an even bigger security risk.

Any advice is greatly appreciated.
 
Last edited by a moderator:

iso99

Well-Known Member
Jan 5, 2011
112
7
68
cPanel Access Level
Root Administrator
I've worked with cPanel servers for years and I feel that ini_set is safe. Most CMSs use this function and it's actually convenient for users to have this enabled.

For better security, go with Cloudlinux to have important resources limited. You may also opt for the individual php.ini to be disabled, as posted by bgarrant. If you have trusted users that really need custom configuration, have them contact you and do it on your end instead: CloudLinux Documentation