php_admin_value disable_functions not working

Question

I'm trying to disable functions, in my apache2 config file, but it's not working for some reason. I've verified that other php_admin_value settings ARE working, but it's just ignoring disable_functions

Here's what I have:

<Directory "/var/www/testdir/*">

php_admin_value open_basedir "/var/www/testdir"
php_admin_value disable_functions "exec,shell_exec"

</Directory>

The open_basedir admin value is working as expected (cannot include '../something'), but yet, it will still exec ls -a .. or let me exec('ls -a ..', $output); echo $output; as if the disable_functions flag was not even set.

Any ideas on how to fix this?

Answer 1

disable_functions can only be changed in the php.ini file:

Name                Default Changeable          Changelog
disable_functions   ""      PHP_INI_SYSTEM only Available since PHP 4.0.1.

However, php_admin_value can not be used in an .htaccess file.

Answer 2

I disagree with Gumbo. You can definitely modify the disable_function from the php.ini. BUT the caveat is you can NOT override what is already defined. You can only append to that array. For example if your php.ini file had nothing for disable_functions, you could append:

php_admin_value[disable_functions] = link,symlink,popen,exec,system,shell_exec,show_source,passthru,pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority

The flip side of that is, that if you php.ini file had say popen disabled, you could not override it by use of the php_admin_value.

I played with this for a bit trying on php 5.5.9 to get to the bottom of an issue. I tried overriding a the php value for disable_function. While a phpinfo() showed the disable_function line as empty after my over-ride. None of the functions that were initially listed in the php.ini file were available.

For the record, my attempts were using php5-fpm and modifying the pool configuration.

Answer 3

As @john says in his answer above, you can only append to any already defined disable_functions value, not remove those already disabled. This becomes more complex with PHP-FPM, because of the way in which it sets the base value. There is, however, a solution, detailed by a CPanel Technical Support Community Manager here, but buried deep in a thread, for which reason I will set out the steps.

1. Create the /var/cpanel/ApachePHPFPM directory:

   mkdir /var/cpanel/ApachePHPFPM

2. Create the /var/cpanel/ApachePHPFPM/system_pool_defaults.yaml file:

   touch /var/cpanel/ApachePHPFPM/system_pool_defaults.yaml

3. Edit /var/cpanel/ApachePHPFPM/system_pool_defaults.yaml using your preferred text editor (e.g. vi, nano) so that it looks exactly like this:

   --- php_admin_value_disable_functions: { name: 'php_admin_value[disable_functions]', value: passthru,system }

   (Note: yes, the --- line is intended. In this example, "passthru,system" are left as disabled functions. No other lines exist before or after this entry in this file.)

4. Regenerate the PHP-FPM configuration files via:

   /scripts/php_fpm_config --rebuild

5. Restart the Apache PHP-FPM and Apache service:

   /scripts/restartsrv_apache_php_fpm /scripts/restartsrv_httpd

Additionally, keep in mind the PHPINFO output on the website will match what you've configured in your custom PHP-FPM configuration file, despite the fact that additional PHP functions are disabled (this is an artifact of how PHP and PHP-FPM work as opposed to how they are implemented with cPanel & WHM).

I can confirm that following the above steps allowed me to remove one of the pre-disabled functions (shell_exec).