forbid custom php config settings on apache 2.2 + mod_php server

Question

I have a server where php is running as an apache module.

Every user on the server is restricted to his own directory with open_basedir.

I have disabled the following functions:

disable_functions = exec,passthru,shell_exec,system,proc_open,popen,curl_multi_exec,parse_ini_file,show_source

Now I'd like to forbid custom php config settings, such as:

memory_limit

max_execution_time

max_input_time

post_max_size

upload_max_filesize

How would you go about it?

ty

score 3 · Accepted Answer · edited Dec 31 '12 at 08:59

3

You can use the php_admin_value and php_admin_flag directives to hard code the values into your apache config, this will prevent both .htaccess and ini_set from overriding the values you set.

You can read about these directives in the PHP documentation

edited Dec 31 '12 at 08:59

Deer Hunter

1,070
7
17
25

answered Dec 31 '12 at 08:32

Richard Banks

71
4

Ah! Thanks SubOracle, I read that page but missed the "Any directive type set with php_admin_value can not be overridden by .htaccess or ini_set()". Do you reckon this will still be true even if there is "AllowOverride all" in my httpd.conf? Well I'll make a test myself asap and report back. – wlf Dec 31 '12 at 09:57
php_admin_value memory_limit 128M worked even with AllowOverride All – wlf Dec 31 '12 at 10:20

forbid custom php config settings on apache 2.2 + mod_php server

1 Answers1