2

I want to disable some functions on server to improve security of server. I followed these steps:

STEP: 1 Open php.ini file: vi /etc/php.ini

STEP: 2 Find disable_functions and set new list as follows: disable_functions= exec,passthru,shell_exec,system

STEP: 3 service httpd restart

With the help of above steps I am able to disable all the above functions. Now these functions are no longer available on server.

If I want to enable or disable these functions for particular directories then it is possible or not?

slm
  • 7,615
  • 16
  • 56
  • 76
Himanshu Matta
  • 77
  • 1
  • 2
  • 8
  • Look here http://stackoverflow.com/questions/14532987/disable-php-functions-within-htaccess – Guntis Apr 02 '13 at 08:40

2 Answers2

2

No its not possible to do that in a reliable way. As we stand, php does not provides an option to white-list certain directories for certain functions. A custom function could be written that allows for the execution of the "forbidden" functions in certain directories, but that means you have to allow them globally, and that will not stop programmers to access the forbidden functions directly.

The disable_functions setting is only available inside php.ini, any other way to try and overwrite it is not allowed(for example: ini_set or through apache configs).

So really you have 2 options, use it, or not, but there is no inbetween.

Source: http://php.net/manual/en/ini.core.php#ini.disable-functions

And in particular this:

This directive must be set in php.ini For example, you cannot set this in httpd.conf.

@slm That is one strategy but that doesn't keep them from escalating out side of the directory, so it would really be a facade and obscure way to do it. Even if that will work.

Alexander Meesters
  • 131
  • 4
  • are you 100% sure ?? Is there any alternate to achieve the same ?? – Himanshu Matta Apr 02 '13 at 12:37
  • 1
    Can you elaborate as to the reasons why? As it stands this answer may be correct but it doesn't provide any reasons as to why which would be helpful for the OP and others that may come across this answer in the future. – slm Apr 02 '13 at 12:55
  • I have two servers suppose server A and server B. I use server A to convert voice file into another format and then I send it to server B. I use exec function to convert voice file on server A. Now I want to disable exec function but if I do the same then I'll not be able to convert voice file into another format that's why I am asking is it possible to enable functions for particular directories? – Himanshu Matta Apr 02 '13 at 13:14
  • expanded my comment for a bit – Alexander Meesters Apr 02 '13 at 13:26
-1

I think you could turn this around and not disable the functions in your php.ini file but then disable them on a directory per directory basis in either a .htaccess file or your Apache httpd.conf file, if you're using Apache as your web server. Other web servers most likely offer this feature too.

According to this blog post, you can override php flag and value settings in php.ini in your .htaccess file.

For example you could do the following:

# .htaccess in directory X
php_value disable_functions exec,passthru,shell_exec,system

-or- to re-enable it:

# .htaccess in directory X
php_value disable_functions null

The above is untested by me so I'm not sure if it will work for you or not. Also I can understand some of the confusion around this facility in PHP. According to the PHP documentation it doesn't sound like the above is possible outside of the php.ini file.

disable_functions string

This directive allows you to disable certain functions for security reasons. It takes on a comma-delimited list of function names. disable_functions is not affected by Safe Mode.

Only internal functions can be disabled using this directive. User-defined functions are unaffected.

This directive must be set in php.ini For example, you cannot set this in httpd.conf.

slm
  • 7,615
  • 16
  • 56
  • 76