disable ini_set, what are the risks?

[bgarrant]

I have a shared hosting server using latest cPanel. Works great but we have had ini_set enabled for years until now. It was recommended in several forums and by CSF to disable ini_set, but when we do it some sites have issues. I wish there was a safe way to just enable on a per site basis but I have not found one. Allowing a custom php.ini is also disabled for security.

So my question is what damage can ini_set really do on a shared host using suPHP? Is there any way to just allow ini_set on a few sites without allowing php.ini files pet site? Allowing php.ini seems like an even bigger security risk.

Any advice is greatly appreciated.

 

[bgarrant]

I have setup the first option in this post to disable individual php.ini files.

http://forums.cpanel.net/f185/metho...ricting-who-can-use-php-ini-files-167186.html

Is it more of a risk to enable php.ini files or to enable ini_set globally on the server? I really just need ini_set on like 5 sites out of hundreds.

 

[cPanelMichael]

Hello

You may find the following similar thread helpful:

ini_set question

Thank you.

 

[iso99]

I've worked with cPanel servers for years and I feel that ini_set is safe. Most CMSs use this function and it's actually convenient for users to have this enabled.

For better security, go with Cloudlinux to have important resources limited. You may also opt for the individual php.ini to be disabled, as posted by bgarrant. If you have trusted users that really need custom configuration, have them contact you and do it on your end instead: CloudLinux Documentation