php weakness...
I do not think this is specifically a weakness of cPanel but rather a weakness of php itself, but I did want to see if anyone had any feedback...
If a user sets a php.ini in their web root, it removes all of the function disables in the primary php.ini file. I have a user who added a php.ini with the following contents only.
error_reporting = E_ALL & ~E_WARNING & ~E_NOTICE
This allowed him to bypass the restrictions I have set in the master php.ini (I have disabled among other functions ini_set and phpinfo).
I am not sure f there is a way to set things up so that users cannot over ride the master php.ini file but I find this to be an amazingly glaring weakness.
-
Documentation on that line of code may be helpful: error_reporting = E_ALL & ~E_WARNING & ~E_NOTICE More: Predefined Constants - php.net I believe there more than a few threads on this topic of restricting the php.ini, you might have a look around for them. GL! 0 -
]Documentation on that line of code may be helpful: error_reporting = E_ALL & ~E_WARNING & ~E_NOTICE More: Predefined Constants - php.net I believe there more than a few threads on this topic of restricting the php.ini, you might have a look around for them. GL!
Thank you I shall do as recommended.0 -
Sure thing, happy to help. :) 0 -
Wow there is a LOT to read there and by the dates in that thread much of it has the potential to be outdated. One or two of those posts by themselves are more than i can read and comprehend with my dyslexia. Is there a resource that gives me a clean and simple set of instructions on how to keep users form over riding this weakness as I am calling it? I THINK I read that the way to do this is use suPHP. Is that correct? If that is the case, do i have to be concerned with any side effects on existing php code? A LOT of my sites use php (most with MySQL) and I don't want to blindly make a change that might break existing code. 0 -
[COLOR="#D3D3D3">You picked the wrong business to be in. Lots of reading required. Last post, first page of that thread might be of some use to you: How can I protect php.ini with suPHP? - cPanel Forums More here: suPHP_ConfigPath - cPanel Forums More here: Methods to Increase Security on suPHP - Restricting who can use php.ini - cPanel Forums Not sure I'd call forcing errors a weakness. After all that, this might be helpful to you: Time Lapse HD Video 1080p with Sunsets, Clouds, Stars and Relaxing Music HTH! 0 -
I read that the way to do this is use suPHP. Is that correct?
I do. I would if I was you. do i have to be concerned with any side effects on existing php code? A LOT of my sites use php (most with MySQL) and I don't want to blindly make a change that might break existing code.
Maybe. Depending on file permissions I would think. I almost hate to say it, but reading up on the topic first might be best.0 -
Thanks guy I'll give those a read in the morning when my eyes are fresh... BTW I was not necessarily calling forcing errors a weakness. What I consider a weakness is that the presence of a php.ini in the users web root kills the restrictions that the server owner has established globally. I did get a chuckle out of the last suggestion! [COLOR="silver">- - - Updated - - - I did go into my server and look to see how things are configured and I see that suPHP is already being used. So I am going to ASS-U-ME that (all) I need to do is deal with my lack of knowledge on how to use its features to accomplish what i want. 0 -
Infopro I am revisiting this topic to see if you know a way to accomplish the following... 1) I have set uncommented the three lines in the supup config file that restrict the use of custom php.ini files. 2) Among other function I have the shell_exec() disabled in disable_functions of the master php.ini file. 3) I have one client who I want to allow to use the shell_exec() function. Q) Is there a way to have a client by client exception to the suphp restrictions or some other way to allow this single client to use the shell_exec() function? 0
Please sign in to leave a comment.
Comments
8 comments