How to disallow use of disable_functions in?

Question

I'm obviously not the first one to have this problem, but I cannot not find an answer to this situation.

I want to lock down PHP a bit, more specifically the use of disable_functions. The environment is CentOS 6.2/PHP 5.3.3 fcgid/Apache 2.2.15:

Whats the proper apache config (AllowOverride, etc) to disable any PHP setting to be changed via .htaccess? All other overrides are ok (current setting is AllowOverride All)
Whats the proper config to forbid effective use of disable_functions in all but the master php.ini (as in forbid use of disable_functions in /home/myvhost/etc/php5/php.ini or any directory within in that vhost public_html. another way to say this: the only effective disable_functions comes from the master php.ini)?
If #2 is not possible, at least whats the proper config to disallow a vhost owner to effectively use any php.ini but the vhost main one (/home/myvhost/etc/php5/php.ini)?

Thanks

DerfK · Accepted Answer · 2012-07-02T01:27:01.510

3

.htaccess only overrides PHP when mod_php is used, and doing so requires Options override permissions. All other cases, you cannot directly override ini options from the htaccess file, but with FileInfo you may be able to override the default FCGI handler to point to an alternate fcgi handler with a flag to tell php to use an alternate .ini file.
I do not believe this is possible.
Don't allow vhosts to override FileInfo.

FileInfo allows htaccess files to override AddHandler, SetHandler and Action for CGIs as well as FcgidWrapper for mod_fcgid.

edited Jul 02 '12 at 01:27

answered Jun 30 '12 at 00:30

DerfK

1. Since it IS possible to specify individually which one of the Options CAN be overriden (but not which FileInfo), which one of the Options do I specifically need to block to make the "override the default FCGI handler to point to an alternate fcgi handler with a flag to tell php to use an alternate .ini file" case a no-no? – Gaia Jul 02 '12 at 00:03
Do I have this right? "Each vhost will *always* be able to control anything IF they have access to their vhost's main php.ini?" I am trying to simplify php.ini mgmt and I would like to have to edit only one file (since all vhosts have similar needs) – Gaia Jul 02 '12 at 00:05
@Gaia I took a closer look at the directives, and I think Options is ok, it's just FileInfo that is important. I've updated the answer with the specific FileInfo directives that can be used to change how scripts execute, or what constitutes a script. – DerfK Jul 02 '12 at 01:28
ok. thanks... so the question becomes: how do I allow fileinfo (nearly every webapp uses modrewrite) without allowing FcgidWrapper... I have a feeling the answer is not possible :( – Gaia Jul 02 '12 at 14:38
@Gaia At this point I'd say the thing to do is to just monitor your users htaccess files and look for alternate CGIs or wrappers that might be running `php -c /home/me/myphp.ini` or the like. – DerfK Jul 02 '12 at 15:09

1 Answers1