disable_functions = show_source, system, shell_exec, passthru, exec, phpinfo, popen

chris8lunch

Well-Known Member
May 27, 2006
160
0
166
Hi, I'm using ConfigServer Security & Firewall - csf v2.33 and it suggets I edit /usr/local/lib/php.ini and add/change the following,

disable_functions = show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open

Can someone explain briefly what each function does? Whats being disabled?

Thanks!
 

chris74108

Well-Known Member
Apr 30, 2004
86
0
156
This is actually really good advise. Your basically disabling some stuff that makes it much easier to hack your server. Like anything if your not using it then no need to leave it for the world to take advantage of.
 

mctDarren

Well-Known Member
Jan 6, 2004
665
9
168
New Jersey
cPanel Access Level
Root Administrator

chirpy

Well-Known Member
Verifed Vendor
Jun 15, 2002
13,437
34
473
Go on, have a guess
ramprage said:
Just turn on safe_mode is basically takes care of all that.
Not really. There have been so many security holes discovered in php_openbasedir and safemode of late in php (some for which the php developers still haven't bothered releasing a new version to fix) it is still best to explicitly deny access to such functions.
 

dgbaker

Well-Known Member
PartnerNOC
Sep 20, 2002
2,531
10
343
Toronto, Ontario Canada
cPanel Access Level
DataCenter Provider
The hardest thing to do is to find the right mix of tight security with php while not disabling things clients may need. You may need to experiment with different options.
 

ramprage

Well-Known Member
Jul 21, 2002
651
0
166
Canada
chirpy true, good point. open_base is useless as of php 4.4.4 so manually disabling the functions anyway is still good practice.

dgbaker is also right, you might be turning off functions that clients need so be mindful of that
 

webignition

Well-Known Member
Jan 22, 2005
1,876
2
166
chris8lunch said:
Could someone please briefly explain what each function does?
Just thought I'd chip in with something relevant ...

If you want to find out what a given PHP function does, refer to the PHP documentation - you're not going to find a more thorough explanation. The PHP website search thingy lets you choose to search based on a function name - dead easy.
 

AndyReed

Well-Known Member
PartnerNOC
May 29, 2004
2,217
4
193
Minneapolis, MN
So what choice of PHP functions do you recommend should be disabled on a server running Cpanel & Fantastisco?
The answer is given in responses 8 - dgbaker and 10 - webignition.
 

Spiral

BANNED
Jun 24, 2005
2,018
8
193
The hardest thing to do is to find the right mix of tight security with php while not disabling things clients may need. You may need to experiment with different options.
A suggestion here and the main reason why we use Apache 2 as does our hosting clients ...

SuPHP allows the host to setup custom PHP.INI files for each account like phpSuExec
but unlike phpSuExec, it has to be done by the host and not by the user.

If you are running SuPHP, you can use an insanely locked down PHP.INI for generally
default access and for those accounts that have programs needing something a little
bit looser, you can specify a custom PHP.INI a little bit less restrictive.

Now to whoever said to "use safe_mode", that does NOT solve your security
problems and safe mode itself is known to have a serious number of issues.