PHP.INI settings: Disable exec, shell_exec, system, popen and Other Functions To Improve Security

by on July 30, 2008 · 23 comments· LAST UPDATED May 19, 2013

in , ,

I run a small Apache based web-server for my personal use, and it is shared with friends and family. However, most script kiddie try to exploit php application such as WordPress using exec(), passthru(), shell_exec(), system() functions. How do I disable these functions to improve my php script security?

Tutorial details
DifficultyEasy (rss)
Root privilegesYes
RequirementsLAMP
Estimated completion timeN/A
PHP has a lot of functions which can be used to crack your server if not used properly. You can set list of functions in php.ini using disable_functions directive. This directive allows you to disable certain functions for security reasons. It takes on a comma-delimited list of function names. disable_functions is not affected by Safe Mode. This directive must be set in php.ini file. For example, you cannot set this in httpd.conf file.

Open a terminal or login to your server over the ssh session. Open php.ini file:
# vi /etc/php.ini
Find disable_functions and set new list as follows:
disable_functions =exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source
I also recommend to disable allow_url_include and allow_url_fopen for security reasons:

allow_url_fopen=Off
allow_url_include=Off

Save and close the file. Restart the httpd server by tying the following command:
# service httpd restart

See also:

  • Linux: 25 PHP Security Best Practices For Sys Admins - A misconfigured server-side scripting language can create all sorts of problems. So, PHP should be used with caution. Here are twenty-five php security best practices for sysadmins for configuring PHP securely.
TwitterFacebookGoogle+PDF versionFound an error/typo on this page? Help us!

{ 23 comments… read them below or add one }

1 Davide July 30, 2008 at 2:59 pm

This is not enought because you can always use “`” that will bypass these limitation.

Reply

2 Eric Lin August 3, 2008 at 10:24 pm

I guess if you really need those functions, you can overwrite the configuration using ini_set function in your script to enable them for a particular site.

Reply

3 Experts November 10, 2008 at 12:21 pm

Davide you are wrong “`” using shell_exec function so if we disable shell_exec then “`” will be disabled too

Reply

4 Mir March 30, 2010 at 1:03 pm

Why is “parse_ini_file” disabled?

Reply

5 cliffsupport April 26, 2010 at 10:20 am

You should make sure the user cannot override the setting using .htaccess or custom php.ini

Reply

6 Lekensteyn May 12, 2010 at 10:55 am

show_source is an alias of highlight_file.
Why would you disable this function?
You can read the contents of a file with readfile() or file_get_contents :/

Reply

7 mica September 19, 2010 at 8:44 pm

readfile() and file_get_contents() functions are subject to the open_basedir restriction.
Obviously you should set the open_basedir php setting to your docroot, so the scripts won’t be able to read files above docroot in your file system!

Reply

8 ubuntu lover April 14, 2011 at 10:47 am

if i create a custom php.ini file, it would overwrite disable_functions directive, so this is useless.
how can you overcome that???

Reply

9 Daniel Alexandre May 14, 2011 at 7:35 am

“ubuntu lover”: Either you want to disable those functions or not. If you want you have to change php.ini: overwrite disable_functions and set a new list or modify the existing one. I’m not sure you think it makes it useless. Only the server admin can do that and he will only disable the functions he wants, editing that list.
Also Eric says: “if you really need those functions, you can overwrite the configuration using ini_set function in your script to enable them for a particular site.” But again you can do that only on the server side.

Reply

10 kishan December 10, 2011 at 5:42 am

this functions easily bypassed with cgi telnet perl script!

Reply

11 anon January 28, 2012 at 12:35 pm

So what’s the solution? To disable telnet?

Reply

12 poncio March 30, 2012 at 7:29 am
13 xyz kr sin April 14, 2012 at 11:20 am

it didnot work for me

Reply

14 Michael Scherer April 27, 2012 at 1:13 pm

Helo, sorry my english is not so good. My Question: How can I enable exec on Linux? Thanks for the Answers :-) Bye

Reply

15 Rick July 26, 2012 at 1:23 pm

Here is the list i use. Most script dont use any of these functions anyway (except for chmod maybe, for file management script or something).

exec, passthru, shell_exec, system, proc_open, posix_mkfifo, pg_lo_import, dbmopen, dbase_open, popen, chgrp, chown, chmod, symlink, pcntl_exec,
apache_child_terminate, apache_setenv, define_syslog_variables, posix_getpwuid, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid,
posix_setuid, posix_uname, proc_close, pclose, proc_nice, proc_terminate, shell_exec

Reply

16 tumi August 8, 2012 at 5:55 am

only disable those setting,it it enough ? how about the following too over ?

disable_functions = show_source, system, shell_exec, passthru, exec, popen, proc_open, allow_url_fopen, phpinfo, gzinflate, fsockopen, pfsockopen

Reply

17 darius May 18, 2013 at 11:35 pm

imo you should look limitations in wordpress not in php. It’s program not language unsafe.

Reply

18 John June 17, 2013 at 8:10 am

Best one I could found is this :

#Protect your website from Hacking using this php.ini By Mauritania Attacker

safe_mode = On
disable_functions = "ln, cat, popen, pclose, posix_getpwuid, posix_getgrgid, posix_kill, parse_perms, system, dl, passthru, exec, shell_exec, popen, proc_close, proc_get_status, proc_nice, proc_open, escapeshellcmd, escapeshellarg, show_source, posix_mkfifo, mysql_list_dbs, get_current_user, getmyuid, pconnect, link, symlink, pcntl_exec, ini_alter, pfsockopen, leak, apache_child_terminate, posix_kill, posix_setpgid, posix_setsid, posix_setuid, proc_terminate, syslog, fpassthru, stream_select, socket_select, socket_create, socket_create_listen, socket_create_pair, socket_listen, socket_accept, socket_bind, socket_strerror, pcntl_fork, pcntl_signal, pcntl_waitpid, pcntl_wexitstatus, pcntl_wifexited, pcntl_wifsignaled, pcntl_wifstopped, pcntl_wstopsig, pcntl_wtermsig, openlog, apache_get_modules, apache_get_version, apache_getenv, apache_note, apache_setenv, virtual, chmod, file_upload, delete, deleted, edit, fwrite, cmd, rename, unlink, mkdir, mv, touch, cp, cd, pico"
safe_mode_gid = On
open_basedir = On
register_globals = Off
exec = Off
shell_exec = Off
allow_url_fopen = Off
allow_url_include = Off

Reply

19 sachin karma July 10, 2013 at 10:39 am

Hello Experts,
i have a problem i have installed mysql and lamp on my fedora linux .
i have configured phpmyadmin also so that it can connect to the mysql socket.
all works with http://localhost/ and http://localhost/phpmyadmin in the browser …
but when i tried running my db.php file which contains following

give me errors
Warning: mysql_connect(): No such file or directory in /opt/lampp/htdocs/hellophp/index.php on line 2
No such file or directory

this works fine on my windows but not on linux although all configuration of lampp is fine..help

Reply

20 sachin karma July 10, 2013 at 10:40 am

here is my code :

mysql_connect(“localhost:3306″,”root”,”sach”) or die(mysql_error());
mysql_select_db(“sample”) or die(mysql_error());

Reply

21 sachin karma July 10, 2013 at 10:41 am

i have tried removing 3306 still not working
same problem
Warning: mysql_connect(): No such file or directory in /opt/lampp/htdocs/hellophp/index.php on line 2

Reply

22 Michael December 28, 2013 at 7:42 pm

This article is laughable at best. Sure, the functions mentioned can be used to exploit security issues, but if your server is properly configured, you shouldn’t need to do so.

exec, passthru, shell_exec, system, proc_open and popen are all dependent on server permissions. If your server is configured properly, the user accounts should not be able to do anything dangerous with these.

curl_exec and curl_multi_exec are both quite useful. I don’t see how these can be dangerous.

parse_ini_file and show_source are both completely harmless. I highly recommend you read up on what these do before you go blindly recommending people disable them.

Reply

23 Tapan Bhanot March 5, 2014 at 3:43 pm

I use this list:

apache_child_terminate, apache_setenv, define_syslog_variables, escapeshellarg, escapeshellcmd, eval, exec, fp, fput, ftp_connect, ftp_exec, ftp_get, ftp_login, ftp_nb_fput, ftp_put, ftp_raw, ftp_rawlist, highlight_file, ini_alter, ini_get_all, ini_restore, inject_code, openlog, passthru, php_uname, phpAds_remoteInfo, phpAds_XmlRpc, phpAds_xmlrpcDecode, phpAds_xmlrpcEncode, popen, posix_getpwuid, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, posix_setuid, posix_uname, proc_close, proc_get_status, proc_nice, proc_open, proc_terminate, shell_exec, show_source, syslog, system, xmlrpc_entity_decode, ini_set

Works fine.

Thanks.

Reply

Leave a Comment

Tagged as: , , , , , , , , , ,

Previous Faq:

Next Faq: