PHP Disable Functions

[Bashed]

Hey folks,

What is everyone's recommended disable_functions setting in PHP (w/ suPHP enabled) on shared servers?

I'm currently using this:

passthru,exec,shell_exec,system,apache_note,apache_setenv,closelog,debugger_off,debugger_on,define_syslog_variables,openlog,syslog,symlink,escapeshellarg,escapeshellcmd,dl,socket_accept,socket_bind,socket_clear_error,socket_close,socket_connect,socket_create_listen,socket_create_pair,socket_create,socket_get_option,socket_getpeername,socket_getsockname,socket_last_error,socket_listen,socket_read,socket_recv,socket_recvfrom,socket_select,socket_send,socket_sendto,socket_set_block,socket_set_nonblock,socket_set_option,socket_shutdown,socket_strerror,socket_write,stream_sock

I've read that these are all 'dangerous' too, is this too much?

    apache_child_terminate
    apache_setenv
    define_syslog_variables
    escapeshellarg
    escapeshellcmd
    eval
    exec
    fp
    fput
    ftp_connect
    ftp_exec
    ftp_get
    ftp_login
    ftp_nb_fput
    ftp_put
    ftp_raw
    ftp_rawlist
    highlight_file
    ini_alter
    ini_get_all
    ini_restore
    inject_code
    mysql_pconnect
    openlog
    passthru
    php_uname
    phpAds_remoteInfo
    phpAds_XmlRpc
    phpAds_xmlrpcDecode
    phpAds_xmlrpcEncode
    popen
    posix_getpwuid
    posix_kill
    posix_mkfifo
    posix_setpgid
    posix_setsid
    posix_setuid
    posix_setuid
    posix_uname
    proc_close
    proc_get_status
    proc_nice
    proc_open
    proc_terminate
    shell_exec
    syslog
    system
    xmlrpc_entity_decode

 

[quizknows]

Those all look about right. Worst case if a customer has issues with a legitimate application, get them their own php.ini with a different disable_functions.

 

[cPanelMichael]

Hello

You may want to monitor your error_log files within the accounts after disabling additional functions if you are concerned it will cause issues with the scripts installed for your accounts.

Thank you.