disable_functions = show_source, system, shell_exec, passthru, exec, phpinfo, popen

[chris8lunch]

Hi, I'm using ConfigServer Security & Firewall - csf v2.33 and it suggets I edit /usr/local/lib/php.ini and add/change the following,

disable_functions = show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open

Can someone explain briefly what each function does? Whats being disabled?

Thanks!

 

[chris74108]

This is actually really good advise. Your basically disabling some stuff that makes it much easier to hack your server. Like anything if your not using it then no need to leave it for the world to take advantage of.

 

[chris74108]

http://www.eth0.us/php

 

[chris8lunch]

Could someone please briefly explain what each function does?

 

[mctDarren]

show_source

Not too hard to imagine what this does...

exec, system, passthru

Executes an external program

shell_exec

Executes a shell command

phpinfo

shows config and var values

popen, proc_open

returns a file pointer (opens file) -- proc is worse

 

[ramprage]

Just turn on safe_mode is basically takes care of all that.

 

[chirpy]

Just turn on safe_mode is basically takes care of all that.

Not really. There have been so many security holes discovered in php_openbasedir and safemode of late in php (some for which the php developers still haven't bothered releasing a new version to fix) it is still best to explicitly deny access to such functions.

 

[dgbaker]

The hardest thing to do is to find the right mix of tight security with php while not disabling things clients may need. You may need to experiment with different options.

 

[ramprage]

chirpy true, good point. open_base is useless as of php 4.4.4 so manually disabling the functions anyway is still good practice.

dgbaker is also right, you might be turning off functions that clients need so be mindful of that

 

[webignition]

Could someone please briefly explain what each function does?

Just thought I'd chip in with something relevant ...

If you want to find out what a given PHP function does, refer to the PHP documentation - you're not going to find a more thorough explanation. The PHP website search thingy lets you choose to search based on a function name - dead easy.

 

[oshs]

Hi guys,

So what choice of PHP functions do you recommend should be disabled on a server running Cpanel & Fantastisco?

 

[AndyReed]

So what choice of PHP functions do you recommend should be disabled on a server running Cpanel & Fantastisco?

The answer is given in responses 8 - dgbaker and 10 - webignition.

 

[Spiral]

The hardest thing to do is to find the right mix of tight security with php while not disabling things clients may need. You may need to experiment with different options.

A suggestion here and the main reason why we use Apache 2 as does our hosting clients ...

SuPHP allows the host to setup custom PHP.INI files for each account like phpSuExec
but unlike phpSuExec, it has to be done by the host and not by the user.

If you are running SuPHP, you can use an insanely locked down PHP.INI for generally
default access and for those accounts that have programs needing something a little
bit looser, you can specify a custom PHP.INI a little bit less restrictive.

Now to whoever said to "use safe_mode", that does NOT solve your security
problems and safe mode itself is known to have a serious number of issues.

 

[ramprage]

It's funny how PHP own safety functions can now be exploited haha what a wonderful language this is.