The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

disable ini_set, what are the risks?

Discussion in 'Security' started by bgarrant, Jan 28, 2015.

  1. bgarrant

    bgarrant Active Member

    Joined:
    Jun 27, 2012
    Messages:
    26
    Likes Received:
    8
    Trophy Points:
    3
    cPanel Access Level:
    Root Administrator
    I have a shared hosting server using latest cPanel. Works great but we have had ini_set enabled for years until now. It was recommended in several forums and by CSF to disable ini_set, but when we do it some sites have issues. I wish there was a safe way to just enable on a per site basis but I have not found one. Allowing a custom php.ini is also disabled for security.

    So my question is what damage can ini_set really do on a shared host using suPHP? Is there any way to just allow ini_set on a few sites without allowing php.ini files pet site? Allowing php.ini seems like an even bigger security risk.

    Any advice is greatly appreciated.
     
    #1 bgarrant, Jan 28, 2015
    Last edited by a moderator: Jan 28, 2015
  2. bgarrant

    bgarrant Active Member

    Joined:
    Jun 27, 2012
    Messages:
    26
    Likes Received:
    8
    Trophy Points:
    3
    cPanel Access Level:
    Root Administrator
  3. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    648
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
  4. iso99

    iso99 Well-Known Member

    Joined:
    Jan 5, 2011
    Messages:
    87
    Likes Received:
    2
    Trophy Points:
    8
    cPanel Access Level:
    Root Administrator
    I've worked with cPanel servers for years and I feel that ini_set is safe. Most CMSs use this function and it's actually convenient for users to have this enabled.

    For better security, go with Cloudlinux to have important resources limited. You may also opt for the individual php.ini to be disabled, as posted by bgarrant. If you have trusted users that really need custom configuration, have them contact you and do it on your end instead: CloudLinux Documentation
     
Loading...

Share This Page