Control Web Panel

WebPanel => PHP => Topic started by: JoeDer on January 25, 2021, 12:52:58 PM

Title: PHP disable_functions for separated vhost
Post by: JoeDer on January 25, 2021, 12:52:58 PM
Hello,

I'm running PHP 7.4 as main PHP version and PHP-CGI selector v2 from PHP 5.6 to 7.4 versions, on my Invision Power installation I have a message to disable some dangerous PHP functions,

(https://i.imgur.com/xcF0ZMP.png)

All I have done is to add in the domain's control panel the disable_functions as a new record in the php.ini and add the PHP functions that needed.

(https://i.imgur.com/CHj6yvI.png)

After that I still have the same message. From a search I found this article: http://wiki.centos-webpanel.com/how-to-disable-dangerous-php-functions but I don't want to disable any PHP function from all domains that use the same PHP version. 

What can I do to disable these PHP functions only for 1 domain?
Title: Re: PHP disable_functions for separated vhost
Post by: cinique on January 25, 2021, 01:26:56 PM
Simple bit of debugging:
Temporarily create a phpinfo.php in the domain public_html and check which php.ini is being read.
Title: Re: PHP disable_functions for separated vhost
Post by: JoeDer on January 25, 2021, 01:33:21 PM
There is no value at disable_functions in my public_html phpinfo file and that is the weird thing

(https://i.imgur.com/lZ4bdPk.png)
Title: Re: PHP disable_functions for separated vhost
Post by: JoeDer on January 25, 2021, 01:36:56 PM
(https://i.imgur.com/JaTj07N.png)
Title: Re: PHP disable_functions for separated vhost
Post by: cinique on January 25, 2021, 01:59:31 PM
user_ini.filename ?
Title: Re: PHP disable_functions for separated vhost
Post by: JoeDer on January 25, 2021, 02:01:30 PM
Yes it exist in my public_html
php.ini and .user.ini with the same values.
Title: Re: PHP disable_functions for separated vhost
Post by: cinique on January 25, 2021, 02:08:05 PM
Something peculiar to your setup. I normally use FPM these days but checked one client domain..
Apache/2.4.46
PHP Version 7.3.26
Configure Command    './configure' '--with-config-file-path=/usr/local/php' '--enable-cgi' '--with-config-file-scan-dir=/usr/local/php/php.d' '--with-zlib=/usr' '--enable-mbstring' '--enable-zip' '--enable-bcmath' '--enable-pcntl' '--enable-ftp' '--enable-exif' '--enable-calendar' '--enable-sysvmsg' '--enable-sysvsem' '--enable-sysvshm' '--enable-wddx' '--with-tidy' '--with-curl' '--with-iconv' '--with-gmp' '--with-pspell' '--with-gd' '--with-jpeg-dir=/usr' '--with-freetype-dir=/usr' '--with-png-dir=/usr' '--enable-gd-jis-conv' '--with-webp-dir=/usr' '--with-zlib-dir=/usr' '--with-xpm-dir=/usr' '--with-openssl' '--with-pdo-mysql=mysqlnd' '--with-gettext=/usr' '--with-bz2=/usr' '--with-recode=/usr' '--with-mysqli' '--enable-soap' '--enable-phar' '--with-xsl' '--with-xmlrpc' '--with-kerberos' '--enable-posix' '--enable-sockets' '--with-pcre-regex' '--with-libdir=lib64' '--with-mysql-sock=/var/lib/mysql/mysql.sock' '--enable-intl' '--with-icu-dir=/usr' '--enable-fpm'

Server API    CGI/FastCGI
Virtual Directory Support    disabled
Configuration File (php.ini) Path    /usr/local/php
Loaded Configuration File    /home/userdomain/public_html/php.ini
Scan this dir for additional .ini files    /usr/local/php/php.d
Additional .ini files parsed    /usr/local/php/php.d/ioncube.ini, /usr/local/php/php.d/mcrypt.ini

include_path   .:/usr/local/lib/php

user_ini.filename   .user.ini
Title: Re: PHP disable_functions for separated vhost
Post by: JoeDer on January 25, 2021, 02:13:03 PM
How can I change the Loaded Configuration File to loaded at the domain's root folder?

I had also un-comment the below value because I have the .user.ini file with the same values as php.ini but seems to not work.

(https://i.imgur.com/g3w9aUb.png)
Title: Re: PHP disable_functions for separated vhost
Post by: cinique on January 25, 2021, 02:24:43 PM
I have suggested to devs (on this forum) to change the wording of some of the menu items, as people are confused. They only partially took me up on my long lists of suggestions/corrections.  :-\

You appear to be confusing the two PHP instances.
/usr/local/php = system PHP (also used when PHP Selector is not used, AFAIK)
/opt/alt/phpXX = user domain PHP

My example is from a free CWP installation, with no multi-PHP. I'll try to get a later one for you.. Bloody server has gone into meltdown, trying to add your bleeding edge PHP 7.4.xx, whilst running horrible Magento!
Title: Re: PHP disable_functions for separated vhost
Post by: JoeDer on January 25, 2021, 02:30:51 PM
OK, thank you! I think if I can change the path to php.ini to load from users' root folder it will work.
Title: Re: PHP disable_functions for separated vhost
Post by: cinique on January 25, 2021, 02:57:00 PM
Crikey, that was fun!  :o
I had to be careful as this was on a heavily used live system but I have got this to work, by default and no messing about with config files. I was using a munin account (see my tutorial), so it complicated things due to having a different document root.
Results:
PHP Version 7.4.14
Server API    CGI/FastCGI
Virtual Directory Support    disabled
Configuration File (php.ini) Path    /opt/alt/php74/usr/php
Loaded Configuration File    /var/www/html/munin/php.ini
Scan this dir for additional .ini files    /opt/alt/php74/usr/php/php.d
Additional .ini files parsed    /opt/alt/php74/usr/php/php.d/imagick.ini, /opt/alt/php74/usr/php/php.d/ioncube.ini

memory_limit   192M  <- changed specific to this account
user_ini.filename   .user.ini  <- this is being ignored, as it should, as not PHP-FPM (Edit: after-thought)

Notes:
GUI PHP Editor writes to /home/munin/public_html/php.ini (and replicates to .user.ini in the same directory)
  It should actually write to the munin.conf Document Root /var/www/html/munin - copied it to the correct place
PHP Selector writes the AddHandler to .htaccess, also rather than the Document Root - manually copied over.
Restart Apache
 
Confirmed by adding:
disable_functions   exec, system, shell_exec
Restart Apache

 
Title: Re: PHP disable_functions for separated vhost
Post by: JoeDer on January 26, 2021, 12:25:54 PM
Where is the tutorial? Thare isn't any link. I switched to PHP-FPM from PHP-CGI and still can't figure how can work php.ini or .user.ini for any account separately.
Title: Re: PHP disable_functions for separated vhost
Post by: cinique on January 26, 2021, 12:46:08 PM
Weird: didn't show up in a forum search for me! It's in "How To.."
http://forum.centos-webpanel.com/index.php?topic=10098.0
It was just to illustrate what you're trying to achieve but I recommend anyone/everyone to at least try munin - it has helped me analyse servers for many years. It beats sending out potentially sensitive information to 3rd parties (netstat) and doesn't consume resources like GoAccess.
It'll give you an opportunity to 'play' without affecting an end-user website. ;)

Title: Re: PHP disable_functions for separated vhost
Post by: JoeDer on January 26, 2021, 01:06:59 PM
I do not understand, what should I do with munin in relation to my issue?
Title: Re: PHP disable_functions for separated vhost
Post by: cinique on January 26, 2021, 01:47:55 PM
I do not understand, what should I do with munin in relation to my issue?
"It was just to illustrate what you're trying to achieve.." "It'll give you an opportunity to 'play' without affecting an end-user website."
(Goes off to try another one of my servers, with 7.4.11 installed - this server is less used.)
Title: Re: PHP disable_functions for separated vhost
Post by: JoeDer on January 26, 2021, 02:02:37 PM
Thanks but I haven't any problem even if I break them all. I'm new to CWP and I'm working on a test server to learn more about CWP.

So, the point (I think) is how to change the php.ini configuration path to read php.ini or .user.ini from the user's root folder when I have PHP Selector v2 or PHP-FPM Selector activated with 2< PHP versions.

Title: Re: PHP disable_functions for separated vhost
Post by: cinique on January 26, 2021, 02:05:04 PM
Steps/(Spoon-feeding).
1. Admin CWP, list Accounts, open panel for user (wait 20secs. or so)..
2. User CWP, PHP Selector
3. Select Domain, file browser should highlight/display public_html, by default.
4. Select PHP version alongside the above (PHP 7.4 Selector CGI), Apply
5. CWP Settings, Edit PHP.ini
6. Add a new Record, disable_functions, "shell_exec, exec, system" (no quotes), Add, Update changes
7. File Management, File Manager, create a phpinfo() PHP file in /home/username/public_html
8. Admin CWP (restart Apache)
9. Internet browser: website/phpinfo.php

Result.
PHP Version 7.4.11
Server API    CGI/FastCGI
Virtual Directory Support    disabled
Configuration File (php.ini) Path    /opt/alt/php74/usr/php
Loaded Configuration File    /home/webp/public_html/php.ini
Scan this dir for additional .ini files    /opt/alt/php74/usr/php/php.d
Additional .ini files parsed    /opt/alt/php74/usr/php/php.d/imagick.ini, /opt/alt/php74/usr/php/php.d/ioncube.ini, /opt/alt/php74/usr/php/php.d/mcrypt.ini, /opt/alt/php74/usr/php/php.d/redis.ini

disable_functions   exec, shell_exec, system

Notes:
You can't mix CGI & FPM within the same domain.
Selecting PHP-FPM, the editor changes .user.ini
Selecting PHP-CGI the editor changes php.ini and allows per directory settings.
Title: Re: PHP disable_functions for separated vhost
Post by: cinique on January 26, 2021, 02:16:40 PM
I think that I've found precisely where your issue lies..

Using PHP-CGI, it's possible to alter the disable_functions
When using PHP-FPM (some) changes are reflected, example
Variable            Value      Default
memory_limit   192M   128M
It appears that others have a 'protected' status. not something that I've come across and I suggest there'll be a global setting someplace to enable/disable this.

With a little internet searching (why do others have trouble with this?), it appears to also happen in cPanel etc.
It looks as though you'd need to mess about with the fpm pools.
https://grepitout.com/enabling-php-fpm-forces-disable_functions-cpanel/
Title: Re: PHP disable_functions for separated vhost
Post by: JoeDer on January 26, 2021, 02:21:09 PM
Steps/(Spoon-feeding).
1. Admin CWP, list Accounts, open panel for user (wait 20secs. or so)..
2. User CWP, PHP Selector
3. Select Domain, file browser should highlight/display public_html, by default.
4. Select PHP version alongside the above (PHP 7.4 Selector CGI), Apply
5. CWP Settings, Edit PHP.ini
6. Add a new Record, disable_functions, "shell_exec, exec, system" (no quotes), Add, Update changes
7. File Management, File Manager, create a phpinfo() PHP file in /home/username/public_html
8. Admin CWP (restart Apache)
9. Internet browser: website/phpinfo.php

Result.
PHP Version 7.4.11
Server API    CGI/FastCGI
Virtual Directory Support    disabled
Configuration File (php.ini) Path    /opt/alt/php74/usr/php
Loaded Configuration File    /home/webp/public_html/php.ini
Scan this dir for additional .ini files    /opt/alt/php74/usr/php/php.d
Additional .ini files parsed    /opt/alt/php74/usr/php/php.d/imagick.ini, /opt/alt/php74/usr/php/php.d/ioncube.ini, /opt/alt/php74/usr/php/php.d/mcrypt.ini, /opt/alt/php74/usr/php/php.d/redis.ini

disable_functions   exec, shell_exec, system

Notes:
You can't mix CGI & FPM within the same domain.
Selecting PHP-FPM, the editor changes .user.ini
Selecting PHP-CGI the editor changes php.ini and allows per directory settings.

Perfect, with these steps at my phpinfo() I can see that the paths loaded from /opt/alt/php74/usr/php/... but the Loaded Configuration File hasn't changed to  /home/my_domain/public_html/php.ini
Title: Re: PHP disable_functions for separated vhost
Post by: cinique on January 26, 2021, 02:33:16 PM
1. CWP Admin, Webserver Settings, Webservers Conf Editor, PHP-FPM
2. php-fpm74 tab
3. Edit a user account conf
4. Add to the bottom: php_admin_value[disable_functions] = shell, shell_exec, system
5. Restart/Reload Apache and PHP-FPM
Title: Re: PHP disable_functions for separated vhost
Post by: JoeDer on January 26, 2021, 02:38:03 PM
I'm currently using PHP-CGI and I see only PHP-FPM.
Title: Re: PHP disable_functions for separated vhost
Post by: cinique on January 26, 2021, 02:50:41 PM
I'm currently using PHP-CGI and I see only PHP-FPM.
If you are on the free CWP, then you'll only get FPM if you force Apache to use it system-wide. So best/easiest to ignore that option.
Now that I've spent time investigating the cause of the FPM "problem", I'll have a quick look around to see if I have a PHP 7.4 server on the free tier.

(Might eventually get back to kernel builds today, for my personal project. ;) )
Title: Re: PHP disable_functions for separated vhost
Post by: JoeDer on January 26, 2021, 02:53:32 PM
No, I'm running a CWPpro version with PHP-CGI and installed PHP versions from PHP Selector v2.
Title: Re: PHP disable_functions for separated vhost
Post by: cinique on January 26, 2021, 03:04:26 PM
Straight Apache, with no nginx/varnish?
Title: Re: PHP disable_functions for separated vhost
Post by: JoeDer on January 26, 2021, 03:04:53 PM
Yes
Title: Re: PHP disable_functions for separated vhost
Post by: cinique on January 26, 2021, 03:14:25 PM
Which brings us back full circle.  :-\
It has to be something peculiar to your setup - that's two CWP.Pro servers that I've checked this on and both work as expected.
A free CWP is currently updating to PHP7.4.11, so I'll take a quick look there but can't really offer much more, other than to suggest starting from scratch. You may have made a change somewhere that's screwing things up.

Edit:
Even using a free CWP and manually changing the php.ini file works..
Server API    CGI/FastCGI
Virtual Directory Support    disabled
Configuration File (php.ini) Path    /usr/local/php
Loaded Configuration File    /home/buck/public_html/php.ini
Scan this dir for additional .ini files    /usr/local/php/php.d
Additional .ini files parsed    /usr/local/php/php.d/ioncube.ini, /usr/local/php/php.d/mcrypt.ini

disable_functions   shell, shell_exec

(Note the space after the comma - gotta be worth checking? )
Title: Re: PHP disable_functions for separated vhost
Post by: JoeDer on January 26, 2021, 03:21:25 PM
OK, I will rebuild my server with a clean CentOS 7 and a fresh CWPpro installation without any modifications and I will try only to go with your steps and I will be back with the new results. Thanks for your help and time :)
Title: Re: PHP disable_functions for separated vhost
Post by: cinique on January 26, 2021, 03:23:07 PM
See my update above..  ;)
Title: Re: PHP disable_functions for separated vhost
Post by: JoeDer on January 26, 2021, 03:27:51 PM
disable_functions   shell, shell_exec

(Note the space after the comma - gotta be worth checking? )
See my update above..  ;)

I already tried both, with space after comma and without space after comma with no luck... Time to go and install everything from scratch. Thanks again :)
Title: Re: PHP disable_functions for separated vhost
Post by: cinique on January 26, 2021, 03:34:39 PM
Be sure to follow the official page on installation, plus the following;
Use LVM and separate /,/home,/var,/backup if possible.
Pre-install epel-release, followed by ccache.
Title: Re: PHP disable_functions for separated vhost
Post by: JoeDer on January 27, 2021, 03:19:36 PM
I reinstalled everything from scratch and the only way to add disable functions for 1 user is the below quoted steps with PHP-FPM.

I checked again the PHP configuration settings via phpinfo() function and I saw again that the path of PHP Loaded Configuration File is /opt/alt/php-fpm74/usr/php/php.ini and not /home/user/public_html/php.ini that means the extra new disable_functions record can't be read from the user's custom php.ini file.

I don't know what else to do to have the path of PHP Loaded Configuration File on user home folder (/home/user/public_html/) that the custom php.ini file exist.

1. CWP Admin, Webserver Settings, Webservers Conf Editor, PHP-FPM
2. php-fpm74 tab
3. Edit a user account conf
4. Add to the bottom: php_admin_value[disable_functions] = shell, shell_exec, system
5. Restart/Reload Apache and PHP-FPM
Title: Re: PHP disable_functions for separated vhost
Post by: cinique on January 27, 2021, 06:49:02 PM
I've exhausted the ideas that I have, for now, short of providing you with a test VPS.  :-\