The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

disable_functions = show_source, system, shell_exec, passthru, exec, phpinfo, popen

Discussion in 'General Discussion' started by chris8lunch, Sep 25, 2006.

  1. chris8lunch

    chris8lunch Well-Known Member

    Joined:
    May 27, 2006
    Messages:
    160
    Likes Received:
    0
    Trophy Points:
    16
    Hi, I'm using ConfigServer Security & Firewall - csf v2.33 and it suggets I edit /usr/local/lib/php.ini and add/change the following,

    disable_functions = show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open

    Can someone explain briefly what each function does? Whats being disabled?

    Thanks!
     
  2. chris74108

    chris74108 Well-Known Member

    Joined:
    Apr 30, 2004
    Messages:
    86
    Likes Received:
    0
    Trophy Points:
    6
    This is actually really good advise. Your basically disabling some stuff that makes it much easier to hack your server. Like anything if your not using it then no need to leave it for the world to take advantage of.
     
  3. chris74108

    chris74108 Well-Known Member

    Joined:
    Apr 30, 2004
    Messages:
    86
    Likes Received:
    0
    Trophy Points:
    6
  4. chris8lunch

    chris8lunch Well-Known Member

    Joined:
    May 27, 2006
    Messages:
    160
    Likes Received:
    0
    Trophy Points:
    16
    Could someone please briefly explain what each function does?
     
  5. mctDarren

    mctDarren Well-Known Member

    Joined:
    Jan 6, 2004
    Messages:
    664
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    New Jersey
    cPanel Access Level:
    Root Administrator
    Not too hard to imagine what this does...

    Executes an external program

    Executes a shell command

    shows config and var values

    returns a file pointer (opens file) -- proc is worse
     
  6. ramprage

    ramprage Well-Known Member

    Joined:
    Jul 21, 2002
    Messages:
    667
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Canada
    Just turn on safe_mode is basically takes care of all that.
     
  7. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Not really. There have been so many security holes discovered in php_openbasedir and safemode of late in php (some for which the php developers still haven't bothered releasing a new version to fix) it is still best to explicitly deny access to such functions.
     
  8. dgbaker

    dgbaker Well-Known Member
    PartnerNOC

    Joined:
    Sep 20, 2002
    Messages:
    2,578
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Toronto, Ontario Canada
    cPanel Access Level:
    DataCenter Provider
    The hardest thing to do is to find the right mix of tight security with php while not disabling things clients may need. You may need to experiment with different options.
     
  9. ramprage

    ramprage Well-Known Member

    Joined:
    Jul 21, 2002
    Messages:
    667
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Canada
    chirpy true, good point. open_base is useless as of php 4.4.4 so manually disabling the functions anyway is still good practice.

    dgbaker is also right, you might be turning off functions that clients need so be mindful of that
     
  10. webignition

    webignition Well-Known Member

    Joined:
    Jan 22, 2005
    Messages:
    1,880
    Likes Received:
    0
    Trophy Points:
    36
    Just thought I'd chip in with something relevant ...

    If you want to find out what a given PHP function does, refer to the PHP documentation - you're not going to find a more thorough explanation. The PHP website search thingy lets you choose to search based on a function name - dead easy.
     
  11. oshs

    oshs Well-Known Member
    PartnerNOC

    Joined:
    Sep 5, 2004
    Messages:
    146
    Likes Received:
    0
    Trophy Points:
    16
    Hi guys,

    So what choice of PHP functions do you recommend should be disabled on a server running Cpanel & Fantastisco?
     
  12. AndyReed

    AndyReed Well-Known Member
    PartnerNOC

    Joined:
    May 29, 2004
    Messages:
    2,222
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Minneapolis, MN
    The answer is given in responses 8 - dgbaker and 10 - webignition.
     
  13. Spiral

    Spiral BANNED

    Joined:
    Jun 24, 2005
    Messages:
    2,023
    Likes Received:
    7
    Trophy Points:
    0
    A suggestion here and the main reason why we use Apache 2 as does our hosting clients ...

    SuPHP allows the host to setup custom PHP.INI files for each account like phpSuExec
    but unlike phpSuExec, it has to be done by the host and not by the user.

    If you are running SuPHP, you can use an insanely locked down PHP.INI for generally
    default access and for those accounts that have programs needing something a little
    bit looser, you can specify a custom PHP.INI a little bit less restrictive.

    Now to whoever said to "use safe_mode", that does NOT solve your security
    problems and safe mode itself is known to have a serious number of issues.
     
  14. ramprage

    ramprage Well-Known Member

    Joined:
    Jul 21, 2002
    Messages:
    667
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Canada
    It's funny how PHP own safety functions can now be exploited haha what a wonderful language this is.
     
Loading...

Share This Page