The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

php weakness...

Discussion in 'General Discussion' started by PCZero, Jan 16, 2015.

  1. PCZero

    PCZero Well-Known Member

    Joined:
    Dec 13, 2003
    Messages:
    526
    Likes Received:
    34
    Trophy Points:
    28
    Location:
    Earth
    I do not think this is specifically a weakness of cPanel but rather a weakness of php itself, but I did want to see if anyone had any feedback...
    If a user sets a php.ini in their web root, it removes all of the function disables in the primary php.ini file. I have a user who added a php.ini with the following contents only.


    error_reporting = E_ALL & ~E_WARNING & ~E_NOTICE

    This allowed him to bypass the restrictions I have set in the master php.ini (I have disabled among other functions ini_set and phpinfo).

    I am not sure f there is a way to set things up so that users cannot over ride the master php.ini file but I find this to be an amazingly glaring weakness.
     
  2. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,481
    Likes Received:
    203
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
  3. PCZero

    PCZero Well-Known Member

    Joined:
    Dec 13, 2003
    Messages:
    526
    Likes Received:
    34
    Trophy Points:
    28
    Location:
    Earth
  4. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,481
    Likes Received:
    203
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Sure thing, happy to help. :)
     
  5. PCZero

    PCZero Well-Known Member

    Joined:
    Dec 13, 2003
    Messages:
    526
    Likes Received:
    34
    Trophy Points:
    28
    Location:
    Earth
    Wow there is a LOT to read there and by the dates in that thread much of it has the potential to be outdated. One or two of those posts by themselves are more than i can read and comprehend with my dyslexia. Is there a resource that gives me a clean and simple set of instructions on how to keep users form over riding this weakness as I am calling it? I THINK I read that the way to do this is use suPHP. Is that correct? If that is the case, do i have to be concerned with any side effects on existing php code? A LOT of my sites use php (most with MySQL) and I don't want to blindly make a change that might break existing code.
     
  6. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,481
    Likes Received:
    203
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    You picked the wrong business to be in. Lots of reading required.
    Last post, first page of that thread might be of some use to you:
    How can I protect php.ini with suPHP? - cPanel Forums

    More here:
    suPHP_ConfigPath - cPanel Forums

    More here:
    Methods to Increase Security on suPHP - Restricting who can use php.ini - cPanel Forums

    Not sure I'd call forcing errors a weakness.

    After all that, this might be helpful to you:
    Time Lapse HD Video 1080p with Sunsets, Clouds, Stars and Relaxing Music

    HTH!
     
  7. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,481
    Likes Received:
    203
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    I do. I would if I was you.

    Maybe. Depending on file permissions I would think. I almost hate to say it, but reading up on the topic first might be best.
     
  8. PCZero

    PCZero Well-Known Member

    Joined:
    Dec 13, 2003
    Messages:
    526
    Likes Received:
    34
    Trophy Points:
    28
    Location:
    Earth
    Thanks guy I'll give those a read in the morning when my eyes are fresh... BTW I was not necessarily calling forcing errors a weakness. What I consider a weakness is that the presence of a php.ini in the users web root kills the restrictions that the server owner has established globally. I did get a chuckle out of the last suggestion!

    - - - Updated - - -

    I did go into my server and look to see how things are configured and I see that suPHP is already being used. So I am going to ASS-U-ME that (all) I need to do is deal with my lack of knowledge on how to use its features to accomplish what i want.
     
  9. PCZero

    PCZero Well-Known Member

    Joined:
    Dec 13, 2003
    Messages:
    526
    Likes Received:
    34
    Trophy Points:
    28
    Location:
    Earth
    Infopro I am revisiting this topic to see if you know a way to accomplish the following...

    1) I have set uncommented the three lines in the supup config file that restrict the use of custom php.ini files.
    2) Among other function I have the shell_exec() disabled in disable_functions of the master php.ini file.
    3) I have one client who I want to allow to use the shell_exec() function.

    Q) Is there a way to have a client by client exception to the suphp restrictions or some other way to allow this single client to use the shell_exec() function?
     
Loading...

Share This Page