disable_fucntions

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
Termina
Forum Newbie
Posts: 18
Joined: Sat Apr 10, 2004 11:17 pm

disable_fucntions

Post by Termina »

Probally getting sick of me by now, eh? :P

I've added the following line in php.ini:
disable_functions = exec,shell_exec,dir,readfile,dl,passthru,popen,chown,phpinfo,chown,system

I do this because

A) Permission setup. All users are part of the group users. All folders/files in /home are 705

B) PHP runs as an 'other' (if it didn't no user could use php scripts)

C) since PHP can read users scripts, other users can abuse the above commands to view (and possibly change!) a users files. Bad stuff.

What I would like to do is this:
Keep those functions disabled, but allow the php files in a certain directory (mainly my htdocs directory, not writable by anyone by root and nobody) to use the diabled functions.

Is there a way to do this?
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

notice:

Code: Select all

disable_functions	&quote;&quote;	php.ini only
Termina
Forum Newbie
Posts: 18
Joined: Sat Apr 10, 2004 11:17 pm

Post by Termina »

Damn, nothing in that list that looks like it would do that. =/
Post Reply