0

I'm already using open_basedir to restrict a VirtualHost to a certain directory:

<VirtualHost *:80>
  ServerName test.example.com
  DocumentRoot /sites/test/www
  php_admin_value "open_basedir" "/sites/test/www"
  <Directory />
    AllowOverride All
    Require all granted
  </Directory>
</VirtualHost>

How to disable the use of ini_set or exec, but only for this particular VirtualHost (and not for the others)?

Basj
  • 41,386
  • 99
  • 383
  • 673
  • This `` is dangerous. You just applied those access rights to your whole disk, not just the VH's DocumentRoot – RiggsFolly Jun 26 '20 at 09:48
  • `` – RiggsFolly Jun 26 '20 at 09:53
  • https://www.php.net/manual/en/ini.core.php#ini.disable-functions - changeable mode for that is `PHP_INI_SYSTEM`, meaning it can be set in the php.ini or httpd.conf. – CBroe Jun 26 '20 at 09:55
  • @CBroe I read the contrary on your linked page: *This directive must be set in php.ini For example, you cannot set this in httpd.conf.* Are you sure? – Basj Jun 26 '20 at 09:57
  • @CBroe The problem is: I want to disable functions such as `set_ini` but only for one VirtualHost. – Basj Jun 26 '20 at 09:57
  • @RiggsFolly Thanks for this information! – Basj Jun 26 '20 at 09:57
  • And? Your VHost configuration is part of the httpd.conf. – CBroe Jun 26 '20 at 10:05
  • @CBroe I mean: there's surely something I don't understand because you say in your previous comment "it *can* be set in the php.ini or httpd.conf" whereas the doc says "For example, you *cannot* set this in httpd.conf". Maybe you're using another way to set it, could you post an answer about this? – Basj Jun 26 '20 at 10:12
  • Ah, sorry, I was referring to the general description for `PHP_INI_SYSTEM`, but apparently this directive has an additional limitation, that `PHP_INI_SYSTEM only` in the table on top of the page was supposed to convey. Using a custom php.ini is possible if you have PHP embedded into the web server via one of the FastCGI variants though (https://stackoverflow.com/a/22310390/1427878), not sure about it if you are using the Apache module. – CBroe Jun 26 '20 at 10:17

1 Answers1

1

You're looking for the disable_functions entry in your php.ini. So you want a different php.ini for your particular VirtualHost. That could be done via "PHPINIDir"

<virtualhost *:80>
    ServerName www.example.com
    DocumentRoot /path/to/example.com
    PHPINIDir /whatever/path/to/php.ini
</virtualhost>

UPDATE: I removed the example with php_admin_value because, as others have noted in the comments, it wouldn't work with this particular setting. As was discussed here: php_admin_value disable_functions not working ( sorry ... should have looked it up beforehand).

Daniel Heinrich
  • 790
  • 4
  • 12
  • 1
    What has `file_uploads` got to do with the question? – RiggsFolly Jun 26 '20 at 10:00
  • And if you are just going to copy info from another source it can be done with a link in a comment – RiggsFolly Jun 26 '20 at 10:01
  • @RiggsFolly Do you think it would be correct if we adapt `file_uploads` with `disable_functions`? – Basj Jun 26 '20 at 10:04
  • @RiggsFolly : I did it, because I can't guarantee it will always be online. And the shown code is just an example, how to set a php ini value via this method. OP will be smart enough to adapt it to his needs. And I didn't paste it as a comment because I wanted to format it correctly. – Daniel Heinrich Jun 26 '20 at 10:09
  • **FROM MANUAL** `disable_functions` ___This directive must be set in php.ini For example, you cannot set this in httpd.conf.___ – RiggsFolly Jun 26 '20 at 10:11
  • @RiggsFolly Does this mean there's no way to disable `ini_set` for a particular VirtualHost, and allow it for others? – Basj Jun 26 '20 at 10:13
  • I am not completely sure, thats why I didn't post a guess – RiggsFolly Jun 26 '20 at 10:15
  • 1
    If it HAS to be written into the php.ini, PHPINIDir is your friend – Daniel Heinrich Jun 26 '20 at 10:17
  • @DanielHeinrich Your second code snippet with PHPIniDir seems ok, but could you edit the first one to show how to do it with "php_admin_value" and "disable_functions"? – Basj Jun 26 '20 at 11:05
  • 1
    Ok. Changed it. – Daniel Heinrich Jun 26 '20 at 11:15
  • @DanielHeinrich When using `PHPINIDir /whatever/path/to/php.ini`, how is it possible to the keep the content of the usual "php.ini" + add the additional lines that are in `/whatever/path/to/php.ini`? (i.e. combine the 2 php.ini) – Basj Jun 26 '20 at 12:10
  • As far as I know (meaning: could be wrong) you have to copy the content of your original ini file into the new one since PHP.ini doesn't support something like an include directive to load additional ini files... – Daniel Heinrich Jun 26 '20 at 12:14