We use cpanel and phpsuexec ..
We disable functions inside the server's main php.ini
I just noticed today that if a customer uploads an empty php.ini (or with contents, but empty will work too) inside their public_html that NONE of the disabled functions are disabled any longer.
eg. if you disable shell_exec, system etc inside your main php.ini and a customer uploads an empty php.ini to their space, they can use those functions.
I don't think this used to be the case, even with phpsuexec and suspect it may be a bug/hole.. can someone confirm?
The reason I don't think this used to be like this is because I remember quite clearly that we tried enabling a disabled function for a customer, even trying custom php.ini in customer's root dir, but it never worked ie. functions which were disabled in the main php.ini COULD NOT be re-enabled on a per-customer basis. But now it seems this is possible ... ?!
And it's not just the disable_functions that is reset/overriden when a customer uploads an empty php.ini, ALL of your php.ini settings are reset to the defaults or whatever the customer puts inside their php.ini - ie. any restrictions you placed in the main server's php.ini are no longer applicable for this customer.