Results 1 to 9 of 9
Thread: Overiding php disables
-
07-15-2005, 05:35 PM #1Web Hosting Master
- Join Date
- Mar 2002
- Location
- St. Louis, MO
- Posts
- 1,379
Overiding php disables
I seen a post somewhere now I cant find it, with features you disable in php.ini like system shell_exec dl etc etc that they can be overiden with .htaccess file or your own php.ini file (phpsuexec)
Anyway is there any truth to this?
-
07-16-2005, 04:58 AM #2Junior Guru Wannabe
- Join Date
- Sep 2004
- Posts
- 54
i want it also too
http://www.webhostingtalk.com/showth...hreadid=424921
safe mod settings can be overiding but i don't know may disable functions be
-
07-16-2005, 08:16 AM #3Web Hosting Master
- Join Date
- Feb 2004
- Posts
- 1,269
you can run PHP as CGI, as explained on Gallery FAQ: http://gallery.menalto.com/modules.p...q=yes&id_cat=2
but there's a difference
the commands will be run by YOUR user, not Apache's user (that is usually the main reason people disable some functions)
those commands could be run in perl before anyway, so nothing to fear
-
07-16-2005, 11:47 AM #4Web Hosting Guru
- Join Date
- Jul 2004
- Location
- Reporting Live from Marrz
- Posts
- 257
Disable_functions and disable_classes instructions can only be set in php.ini (according to PHP manual) and cannot be overriden or set in httpd.conf, hence neither in .htaccess.
In PHP-as-CGI, none of the PHP values can be set anyway using .htaccess. If vhost's php.ini isn't owned by vhost user and if it is properly chmodded, he can't edit it at all.
So whatever mode PHP runs in, there are always ways to lock that safely.
-
07-16-2005, 04:06 PM #5Web Hosting Master
- Join Date
- Feb 2004
- Posts
- 1,269
Originally posted by SupaDucta
Disable_functions and disable_classes instructions can only be set in php.ini (according to PHP manual) and cannot be overriden or set in httpd.conf, hence neither in .htaccess.
In PHP-as-CGI, none of the PHP values can be set anyway using .htaccess. If vhost's php.ini isn't owned by vhost user and if it is properly chmodded, he can't edit it at all.
So whatever mode PHP runs in, there are always ways to lock that safely.
you can put the php.ini in the same folder as the php.cgi (you can choose this folder) then just configure it in the .htaccess (pointing to that folder)
-
07-16-2005, 06:07 PM #6Web Hosting Master
- Join Date
- Mar 2002
- Location
- St. Louis, MO
- Posts
- 1,379
Well for example, with these features in the disable list in php.ini
disable_functions = popen, exec, shell_exec, system
And phpsuexec enabled... I had thought I came across a thread where a user could overide this using a php.ini file in place of .htaccess file
I realize theres ways to get around some of the side effects of phpsuexec but the actual disable_fuctions? I would assume theres no way around it
-
07-16-2005, 06:49 PM #7Web Hosting Guru
- Join Date
- Jul 2004
- Location
- Reporting Live from Marrz
- Posts
- 257
wrong
you can put the php.ini in the same folder as the php.cgi (you can choose this folder) then just configure it in the .htaccess (pointing to that folder)
But if you have every vhost account in a chroot, and have every vhost's php.ini in /home/vhost/etc/ which is chmodded drwxr-xr-x and chowned to root:root? Can vhost owner ie. regular hosting user do it then?Last edited by SupaDucta; 07-16-2005 at 06:52 PM.
-
07-16-2005, 08:46 PM #8Web Hosting Master
- Join Date
- Feb 2004
- Posts
- 1,269
Originally posted by SupaDucta
Hm... didn't know that...
But if you have every vhost account in a chroot, and have every vhost's php.ini in /home/vhost/etc/ which is chmodded drwxr-xr-x and chowned to root:root? Can vhost owner ie. regular hosting user do it then?
-
07-16-2005, 09:15 PM #9Web Hosting Guru
- Join Date
- Jul 2004
- Location
- Reporting Live from Marrz
- Posts
- 257
There are only some dirs in user's chroot he doesn't own and can't delete/write to - /etc (with per-vhost php.ini), /lib (with linked common libs etc.). He can write, mkdir etc to his home dir, htdocs etc.
Server is confed to look for per vhost-php.ini files in /home/vhost/etc dirs and users can't edit their php.ini files. This makes php settings fully safe, but a little drawback is users have to ask us if any setting in php.ini is required to be edited so we can edit them. On the other hand, this together with suPHP makes PHP really safe. No overrides until executed by us.
However, we are very small hosting, no large quantities of websites, and the needs to edit php.ini files are really rare anyway.