Author Topic: PHP disable_functions for separated vhost  (Read 16798 times)

0 Members and 3 Guests are viewing this topic.

Offline
*
PHP disable_functions for separated vhost
« on: January 25, 2021, 12:52:58 PM »
Hello,

I'm running PHP 7.4 as main PHP version and PHP-CGI selector v2 from PHP 5.6 to 7.4 versions, on my Invision Power installation I have a message to disable some dangerous PHP functions,



All I have done is to add in the domain's control panel the disable_functions as a new record in the php.ini and add the PHP functions that needed.



After that I still have the same message. From a search I found this article: http://wiki.centos-webpanel.com/how-to-disable-dangerous-php-functions but I don't want to disable any PHP function from all domains that use the same PHP version. 

What can I do to disable these PHP functions only for 1 domain?

Re: PHP disable_functions for separated vhost
« Reply #1 on: January 25, 2021, 01:26:56 PM »
Simple bit of debugging:
Temporarily create a phpinfo.php in the domain public_html and check which php.ini is being read.

Offline
*
Re: PHP disable_functions for separated vhost
« Reply #2 on: January 25, 2021, 01:33:21 PM »
There is no value at disable_functions in my public_html phpinfo file and that is the weird thing


Offline
*
Re: PHP disable_functions for separated vhost
« Reply #3 on: January 25, 2021, 01:36:56 PM »

Re: PHP disable_functions for separated vhost
« Reply #4 on: January 25, 2021, 01:59:31 PM »
user_ini.filename ?

Offline
*
Re: PHP disable_functions for separated vhost
« Reply #5 on: January 25, 2021, 02:01:30 PM »
Yes it exist in my public_html
php.ini and .user.ini with the same values.

Re: PHP disable_functions for separated vhost
« Reply #6 on: January 25, 2021, 02:08:05 PM »
Something peculiar to your setup. I normally use FPM these days but checked one client domain..
Apache/2.4.46
PHP Version 7.3.26
Configure Command    './configure' '--with-config-file-path=/usr/local/php' '--enable-cgi' '--with-config-file-scan-dir=/usr/local/php/php.d' '--with-zlib=/usr' '--enable-mbstring' '--enable-zip' '--enable-bcmath' '--enable-pcntl' '--enable-ftp' '--enable-exif' '--enable-calendar' '--enable-sysvmsg' '--enable-sysvsem' '--enable-sysvshm' '--enable-wddx' '--with-tidy' '--with-curl' '--with-iconv' '--with-gmp' '--with-pspell' '--with-gd' '--with-jpeg-dir=/usr' '--with-freetype-dir=/usr' '--with-png-dir=/usr' '--enable-gd-jis-conv' '--with-webp-dir=/usr' '--with-zlib-dir=/usr' '--with-xpm-dir=/usr' '--with-openssl' '--with-pdo-mysql=mysqlnd' '--with-gettext=/usr' '--with-bz2=/usr' '--with-recode=/usr' '--with-mysqli' '--enable-soap' '--enable-phar' '--with-xsl' '--with-xmlrpc' '--with-kerberos' '--enable-posix' '--enable-sockets' '--with-pcre-regex' '--with-libdir=lib64' '--with-mysql-sock=/var/lib/mysql/mysql.sock' '--enable-intl' '--with-icu-dir=/usr' '--enable-fpm'

Server API    CGI/FastCGI
Virtual Directory Support    disabled
Configuration File (php.ini) Path    /usr/local/php
Loaded Configuration File    /home/userdomain/public_html/php.ini
Scan this dir for additional .ini files    /usr/local/php/php.d
Additional .ini files parsed    /usr/local/php/php.d/ioncube.ini, /usr/local/php/php.d/mcrypt.ini

include_path   .:/usr/local/lib/php

user_ini.filename   .user.ini

Offline
*
Re: PHP disable_functions for separated vhost
« Reply #7 on: January 25, 2021, 02:13:03 PM »
How can I change the Loaded Configuration File to loaded at the domain's root folder?

I had also un-comment the below value because I have the .user.ini file with the same values as php.ini but seems to not work.


Re: PHP disable_functions for separated vhost
« Reply #8 on: January 25, 2021, 02:24:43 PM »
I have suggested to devs (on this forum) to change the wording of some of the menu items, as people are confused. They only partially took me up on my long lists of suggestions/corrections.  :-\

You appear to be confusing the two PHP instances.
/usr/local/php = system PHP (also used when PHP Selector is not used, AFAIK)
/opt/alt/phpXX = user domain PHP

My example is from a free CWP installation, with no multi-PHP. I'll try to get a later one for you.. Bloody server has gone into meltdown, trying to add your bleeding edge PHP 7.4.xx, whilst running horrible Magento!
« Last Edit: January 25, 2021, 02:32:13 PM by cynique »

Offline
*
Re: PHP disable_functions for separated vhost
« Reply #9 on: January 25, 2021, 02:30:51 PM »
OK, thank you! I think if I can change the path to php.ini to load from users' root folder it will work.

Re: PHP disable_functions for separated vhost
« Reply #10 on: January 25, 2021, 02:57:00 PM »
Crikey, that was fun!  :o
I had to be careful as this was on a heavily used live system but I have got this to work, by default and no messing about with config files. I was using a munin account (see my tutorial), so it complicated things due to having a different document root.
Results:
PHP Version 7.4.14
Server API    CGI/FastCGI
Virtual Directory Support    disabled
Configuration File (php.ini) Path    /opt/alt/php74/usr/php
Loaded Configuration File    /var/www/html/munin/php.ini
Scan this dir for additional .ini files    /opt/alt/php74/usr/php/php.d
Additional .ini files parsed    /opt/alt/php74/usr/php/php.d/imagick.ini, /opt/alt/php74/usr/php/php.d/ioncube.ini

memory_limit   192M  <- changed specific to this account
user_ini.filename   .user.ini  <- this is being ignored, as it should, as not PHP-FPM (Edit: after-thought)

Notes:
GUI PHP Editor writes to /home/munin/public_html/php.ini (and replicates to .user.ini in the same directory)
  It should actually write to the munin.conf Document Root /var/www/html/munin - copied it to the correct place
PHP Selector writes the AddHandler to .htaccess, also rather than the Document Root - manually copied over.
Restart Apache
 
Confirmed by adding:
disable_functions   exec, system, shell_exec
Restart Apache

 
« Last Edit: January 25, 2021, 03:07:39 PM by cynique »

Offline
*
Re: PHP disable_functions for separated vhost
« Reply #11 on: January 26, 2021, 12:25:54 PM »
Where is the tutorial? Thare isn't any link. I switched to PHP-FPM from PHP-CGI and still can't figure how can work php.ini or .user.ini for any account separately.

Re: PHP disable_functions for separated vhost
« Reply #12 on: January 26, 2021, 12:46:08 PM »
Weird: didn't show up in a forum search for me! It's in "How To.."
http://forum.centos-webpanel.com/index.php?topic=10098.0
It was just to illustrate what you're trying to achieve but I recommend anyone/everyone to at least try munin - it has helped me analyse servers for many years. It beats sending out potentially sensitive information to 3rd parties (netstat) and doesn't consume resources like GoAccess.
It'll give you an opportunity to 'play' without affecting an end-user website. ;)

« Last Edit: January 26, 2021, 12:50:29 PM by cynique »

Offline
*
Re: PHP disable_functions for separated vhost
« Reply #13 on: January 26, 2021, 01:06:59 PM »
I do not understand, what should I do with munin in relation to my issue?

Re: PHP disable_functions for separated vhost
« Reply #14 on: January 26, 2021, 01:47:55 PM »
I do not understand, what should I do with munin in relation to my issue?
"It was just to illustrate what you're trying to achieve.." "It'll give you an opportunity to 'play' without affecting an end-user website."
(Goes off to try another one of my servers, with 7.4.11 installed - this server is less used.)
« Last Edit: January 26, 2021, 01:50:02 PM by cynique »