Enabling PHP-FPM forces disable_functions

AndyX

Well-Known Member
Sep 25, 2015
90
12
58
Los Altos, CA
cPanel Access Level
Root Administrator
WHM 60.0 (build 35)
PHP Version: ea-php71

When I enable PHP-FPM

pic001.jpg

When I disable PHP-FPM

pic002.jpg

Is there any way to enable PHP-FPM without disabling the following functions:

exec,passthru,shell_exec,system
 

sparek-3

Well-Known Member
Aug 10, 2002
1,985
219
343
cPanel Access Level
Root Administrator
I'm not entirely sure that cPanel's PHP-FPM adaption is ready for primetime.

You will want to read through:

PHP-FPM and EasyApache 4 - Documentation - cPanel Documentation

cPanel's PHP-FPM is adding those disabled functions by default. You can adjust this, system-wide by modifying/creating the file at:

/var/cpanel/ApachePHPFPM/system_pool_defaults.yaml

Or you can set this per VirtualHost using the file:

/var/cpanel/userdata/[user]/[domain].php-fpm.yaml

and adjust the disable_functions for that specific pool.

All of this gets exceedingly complicated in a per VirtualHost pool setup. I have real reservations over whether cPanel's decision to use a per-VirtualHost FPM pool is the way to go. I think a per-user FPM pool would be a lot simplier. And the system for doing this is all a bit convoluted at this stage.

Perhaps the cPanel PHP-FPM system will all come together at some point. Perhaps a per-VirtualHost FPM pool will make more sense then. But the system as it stands right now, to me, leaves a bit to be desired.
 

AndyX

Well-Known Member
Sep 25, 2015
90
12
58
Los Altos, CA
cPanel Access Level
Root Administrator
cPanel's PHP-FPM is adding those disabled functions by default. You can adjust this, system-wide by modifying/creating the file at:

/var/cpanel/ApachePHPFPM/system_pool_defaults.yaml
Hi sparek-3,

Thank you for your help.

Sounds like I will need to create a folder called ApachePHPFPM located here:

/var/cpanel/ApachePHPFPM

Then create a file called:

/var/cpanel/ApachePHPFPM/system_pool_defaults.yaml

Then in that file enter:

Code:
disable_functions =
Is this all correct?
 

AndyX

Well-Known Member
Sep 25, 2015
90
12
58
Los Altos, CA
cPanel Access Level
Root Administrator
I tried creating the file as I outlined in post #3, but that caused problems, when I switched to PHP-FPM is would no longer show my domain at the bottom of the page.
 

sparek-3

Well-Known Member
Aug 10, 2002
1,985
219
343
cPanel Access Level
Root Administrator
I believe it should be:

Code:
---
php_admin_value_disable_functions = { present_ifdefault: 0 }
Keep in mind though, this is going to enable all functions for every account that uses PHP-FPM

Sorry, think my original post was wrong, I think this is right. I have edited this post.
 

AndyX

Well-Known Member
Sep 25, 2015
90
12
58
Los Altos, CA
cPanel Access Level
Root Administrator
I believe it should be:

Code:
---
php_admin_value_disable_functions = { present_ifdefault: 0 }
Keep in mind though, this is going to enable all functions for every account that uses PHP-FPM

Sorry, think my original post was wrong, I think this is right. I have edited this post.
When I put that code into the system_pool_defaults.yaml file and enabled PHP-FPM I got the following error when I reloaded my XenForo forum:

upload_2017-1-19_8-48-33.png
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,910
2,215
363
Hello,

The following document includes information on how to change the default configuration values with PHP-FPM on EA4:

PHP-FPM and EasyApache 4 - Documentation - cPanel Documentation

In particular, this is the file path to edit for a specific domain name:

Code:
/var/cpanel/userdata/[user]/[domain].php-fpm.yaml
Otherwise, review the paths under "Optional files" if you wish to to change the default parameters. Also, the following document provides information about how to formulate the custom entries:

Configurations Values of PHP-FPM - Documentation - cPanel Documentation

After making those changes to the YAML file on a specific domain name, run the following command:

Code:
/scripts/php_fpm_config --rebuild --domain=domain
This script is documented at:

The php_fpm_config Script - Documentation - cPanel Documentation

Thank you.
 
  • Like
Reactions: Del Drago

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,910
2,215
363
Hello,

The full path to the script is required in the command:

Code:
/scripts/php_fpm_config
Thanks!
 

AndyX

Well-Known Member
Sep 25, 2015
90
12
58
Los Altos, CA
cPanel Access Level
Root Administrator
Thank you, Michael.

So far so good, I ran the script and my server is still running.

upload_2017-1-20_10-2-13.png

Now I will need to make the changes to the .yaml

Code:
/var/cpanel/ApachePHPFPM/system_pool_defaults.yaml
and run the script again. I'm still not clear if the first line should have a --- or that was a mistake.

Code:
---
php_admin_value_disable_functions = { present_ifdefault: 0 }
 

AndyX

Well-Known Member
Sep 25, 2015
90
12
58
Los Altos, CA
cPanel Access Level
Root Administrator
I followed all the steps:

1) Created a ApachePHPFPM folder and system_pool_defaults.yaml file.

pic001.jpg

2) The system_pool_defaults.yaml file contains:

pic002.jpg

3) Ran the script:

/scripts/php_fpm_config --rebuild --domain=example.com

Of course instead of using example.com I used my domain.

4) Applied PHP-FPM

pic003.jpg

And the result is a server error when I try to view my server in the browser:

pic004.jpg

Looking at my error_log file I have many lines similar to this:

pic005.jpg
 
Last edited:

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,910
2,215
363
Hello,

Please revert any modifications you have made and let us know if the steps outlined below are helpful:

1. Create the /var/cpanel/ApachePHPFPM directory:

Code:
mkdir /var/cpanel/ApachePHPFPM
2. Create the /var/cpanel/ApachePHPFPM/system_pool_defaults.yaml file:

Code:
touch /var/cpanel/ApachePHPFPM/system_pool_defaults.yaml
3. Edit /var/cpanel/ApachePHPFPM/system_pool_defaults.yaml using your preferred text editor (e.g. vi, nano) so that it looks exactly like this:

Code:
---
php_admin_value_disable_functions: { name: 'php_admin_value[disable_functions]', value: passthru,system }
In this example, "passthru,system" are left as disabled functions. No other lines exist before or after this entry in this file.

4. Regenerate the PHP-FPM configuration files via:

Code:
/scripts/php_fpm_config --rebuild
5. Restart the Apache PHP-FPM and Apache service:

Code:
/scripts/restartsrv_apache_php_fpm
/scripts/restartsrv_httpd
Keep in mind disable_functions works differently compared to most other PHP values with PHP-FPM. When you define a custom disable_functions value in your PHP-FPM configuration, it's allowing you to disable additional functions on top of what's already disabled in the global php.ini file. For instance, let's say the following line is configured for PHP version 7.0 from WHM >> MultiPHP INI Editor >> Editor Mode:

Code:
disable_functions = popen,proc_open
If you were to to setup a custom PHP-FPM default value for disable_functions per the example at the top of this post, then the actual disabled functions would include passthru, system, popen, proc_open. Additionally, keep in mind the PHPINFO output on the website will match what you've configured in your custom PHP-FPM configuration file, despite the fact that additional PHP functions are disabled (this is an artifact of how PHP and PHP-FPM work as opposed to how they are implemented with cPanel & WHM).

In summary, while you can add additional entries to the disable_functions PHP value through the use of a custom PHP-FPM configuration file, and customize the disable_functions PHP value for individual PHP-FPM user pools, you can't enable functions for this option that are already disabled in the global php.ini configuration file.

Thank you.