Results 1 to 9 of 9
  1. #1
    Join Date
    Mar 2002
    Location
    St. Louis, MO
    Posts
    1,379

    Overiding php disables

    I seen a post somewhere now I cant find it, with features you disable in php.ini like system shell_exec dl etc etc that they can be overiden with .htaccess file or your own php.ini file (phpsuexec)

    Anyway is there any truth to this?

  2. #2
    Join Date
    Sep 2004
    Posts
    54
    i want it also too
    http://www.webhostingtalk.com/showth...hreadid=424921
    safe mod settings can be overiding but i don't know may disable functions be

  3. #3
    Join Date
    Feb 2004
    Posts
    1,269
    you can run PHP as CGI, as explained on Gallery FAQ: http://gallery.menalto.com/modules.p...q=yes&id_cat=2

    but there's a difference
    the commands will be run by YOUR user, not Apache's user (that is usually the main reason people disable some functions)
    those commands could be run in perl before anyway, so nothing to fear

  4. #4
    Join Date
    Jul 2004
    Location
    Reporting Live from Marrz
    Posts
    257
    Disable_functions and disable_classes instructions can only be set in php.ini (according to PHP manual) and cannot be overriden or set in httpd.conf, hence neither in .htaccess.

    In PHP-as-CGI, none of the PHP values can be set anyway using .htaccess. If vhost's php.ini isn't owned by vhost user and if it is properly chmodded, he can't edit it at all.

    So whatever mode PHP runs in, there are always ways to lock that safely.

  5. #5
    Join Date
    Feb 2004
    Posts
    1,269
    Originally posted by SupaDucta
    Disable_functions and disable_classes instructions can only be set in php.ini (according to PHP manual) and cannot be overriden or set in httpd.conf, hence neither in .htaccess.

    In PHP-as-CGI, none of the PHP values can be set anyway using .htaccess. If vhost's php.ini isn't owned by vhost user and if it is properly chmodded, he can't edit it at all.

    So whatever mode PHP runs in, there are always ways to lock that safely.
    wrong
    you can put the php.ini in the same folder as the php.cgi (you can choose this folder) then just configure it in the .htaccess (pointing to that folder)

  6. #6
    Join Date
    Mar 2002
    Location
    St. Louis, MO
    Posts
    1,379
    Well for example, with these features in the disable list in php.ini

    disable_functions = popen, exec, shell_exec, system

    And phpsuexec enabled... I had thought I came across a thread where a user could overide this using a php.ini file in place of .htaccess file

    I realize theres ways to get around some of the side effects of phpsuexec but the actual disable_fuctions? I would assume theres no way around it

  7. #7
    Join Date
    Jul 2004
    Location
    Reporting Live from Marrz
    Posts
    257
    wrong
    you can put the php.ini in the same folder as the php.cgi (you can choose this folder) then just configure it in the .htaccess (pointing to that folder)
    Hm... didn't know that...

    But if you have every vhost account in a chroot, and have every vhost's php.ini in /home/vhost/etc/ which is chmodded drwxr-xr-x and chowned to root:root? Can vhost owner ie. regular hosting user do it then?
    Last edited by SupaDucta; 07-16-2005 at 06:52 PM.

  8. #8
    Join Date
    Feb 2004
    Posts
    1,269
    Originally posted by SupaDucta
    Hm... didn't know that...

    But if you have every vhost account in a chroot, and have every vhost's php.ini in /home/vhost/etc/ which is chmodded drwxr-xr-x and chowned to root:root? Can vhost owner ie. regular hosting user do it then?
    well, no... but how will the user upload his own files/dirs?

  9. #9
    Join Date
    Jul 2004
    Location
    Reporting Live from Marrz
    Posts
    257
    There are only some dirs in user's chroot he doesn't own and can't delete/write to - /etc (with per-vhost php.ini), /lib (with linked common libs etc.). He can write, mkdir etc to his home dir, htdocs etc.

    Server is confed to look for per vhost-php.ini files in /home/vhost/etc dirs and users can't edit their php.ini files. This makes php settings fully safe, but a little drawback is users have to ask us if any setting in php.ini is required to be edited so we can edit them. On the other hand, this together with suPHP makes PHP really safe. No overrides until executed by us.

    However, we are very small hosting, no large quantities of websites, and the needs to edit php.ini files are really rare anyway.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •