PHP has a lot of functions which can be used to crack your server if not used properly. You can set list of functions in php.ini using disable_functions directive. This directive allows you to disable certain functions for security reasons. It takes on a comma-delimited list of function names. disable_functions is not affected by Safe Mode. This directive must be set in php.ini file. For example, you cannot set this in httpd.conf file.
Open a terminal or login to your server over the ssh session. Open php.ini file:
# vi /etc/php.ini
Find disable_functions and set new list as follows:
disable_functions =exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source
I also recommend to disable allow_url_include and allow_url_fopen for security reasons:
allow_url_fopen=Off allow_url_include=Off
Save and close the file. Restart the httpd server by tying the following command:
# service httpd restart
See also:
- Linux: 25 PHP Security Best Practices For Sys Admins - A misconfigured server-side scripting language can create all sorts of problems. So, PHP should be used with caution. Here are twenty-five php security best practices for sysadmins for configuring PHP securely.
Featured Articles:
- 30 Handy Bash Shell Aliases For Linux / Unix / Mac OS X
- Top 30 Nmap Command Examples For Sys/Network Admins
- 25 PHP Security Best Practices For Sys Admins
- 20 Linux System Monitoring Tools Every SysAdmin Should Know
- 20 Linux Server Hardening Security Tips
- Linux: 20 Iptables Examples For New SysAdmins
- Top 20 OpenSSH Server Best Security Practices
- Top 20 Nginx WebServer Best Security Practices
- 20 Examples: Make Sure Unix / Linux Configuration Files Are Free From Syntax Errors
- 15 Greatest Open Source Terminal Applications Of 2012
- My 10 UNIX Command Line Mistakes
- Top 10 Open Source Web-Based Project Management Software
- Top 5 Email Client For Linux, Mac OS X, and Windows Users
- The Novice Guide To Buying A Linux Laptop
{ 18 comments… read them below or add one }
This is not enought because you can always use “`” that will bypass these limitation.
I guess if you really need those functions, you can overwrite the configuration using ini_set function in your script to enable them for a particular site.
Davide you are wrong “`” using shell_exec function so if we disable shell_exec then “`” will be disabled too
Why is “parse_ini_file” disabled?
You should make sure the user cannot override the setting using .htaccess or custom php.ini
show_source is an alias of highlight_file.
Why would you disable this function?
You can read the contents of a file with readfile() or file_get_contents :/
readfile() and file_get_contents() functions are subject to the open_basedir restriction.
Obviously you should set the open_basedir php setting to your docroot, so the scripts won’t be able to read files above docroot in your file system!
if i create a custom php.ini file, it would overwrite disable_functions directive, so this is useless.
how can you overcome that???
“ubuntu lover”: Either you want to disable those functions or not. If you want you have to change php.ini: overwrite disable_functions and set a new list or modify the existing one. I’m not sure you think it makes it useless. Only the server admin can do that and he will only disable the functions he wants, editing that list.
Also Eric says: “if you really need those functions, you can overwrite the configuration using ini_set function in your script to enable them for a particular site.” But again you can do that only on the server side.
this functions easily bypassed with cgi telnet perl script!
So what’s the solution? To disable telnet?
=S
it didnot work for me
Helo, sorry my english is not so good. My Question: How can I enable exec on Linux? Thanks for the Answers :-) Bye
Here is the list i use. Most script dont use any of these functions anyway (except for chmod maybe, for file management script or something).
exec, passthru, shell_exec, system, proc_open, posix_mkfifo, pg_lo_import, dbmopen, dbase_open, popen, chgrp, chown, chmod, symlink, pcntl_exec,
apache_child_terminate, apache_setenv, define_syslog_variables, posix_getpwuid, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid,
posix_setuid, posix_uname, proc_close, pclose, proc_nice, proc_terminate, shell_exec
only disable those setting,it it enough ? how about the following too over ?
imo you should look limitations in wordpress not in php. It’s program not language unsafe.
Best one I could found is this :
#Protect your website from Hacking using this php.ini By Mauritania Attacker