How do I disable functions on servers for particular directories?

linux php security php5

6,053

No its not possible to do that in a reliable way. As we stand, php does not provides an option to white-list certain directories for certain functions. A custom function could be written that allows for the execution of the "forbidden" functions in certain directories, but that means you have to allow them globally, and that will not stop programmers to access the forbidden functions directly.

The disable_functions setting is only available inside php.ini, any other way to try and overwrite it is not allowed(for example: ini_set or through apache configs).

So really you have 2 options, use it, or not, but there is no inbetween.

Source: http://php.net/manual/en/ini.core.php#ini.disable-functions

And in particular this:

This directive must be set in php.ini For example, you cannot set this in httpd.conf.

@slm That is one strategy but that doesn't keep them from escalating out side of the directory, so it would really be a facade and obscure way to do it. Even if that will work.

6,053

Himanshu Matta

Updated on September 18, 2022

Comments

Himanshu Matta over 1 year

I want to disable some functions on server to improve security of server. I followed these steps:

STEP: 1 Open php.ini file: vi /etc/php.ini

STEP: 2 Find disable_functions and set new list as follows: disable_functions= exec,passthru,shell_exec,system

STEP: 3 service httpd restart

With the help of above steps I am able to disable all the above functions. Now these functions are no longer available on server.

If I want to enable or disable these functions for particular directories then it is possible or not?
- Guntis about 11 years
  
  Look here stackoverflow.com/questions/14532987/…
Himanshu Matta about 11 years

are you 100% sure ?? Is there any alternate to achieve the same ??
slm about 11 years

Can you elaborate as to the reasons why? As it stands this answer may be correct but it doesn't provide any reasons as to why which would be helpful for the OP and others that may come across this answer in the future.
Himanshu Matta about 11 years

I have two servers suppose server A and server B. I use server A to convert voice file into another format and then I send it to server B. I use exec function to convert voice file on server A. Now I want to disable exec function but if I do the same then I'll not be able to convert voice file into another format that's why I am asking is it possible to enable functions for particular directories?
Alexander Meesters about 11 years

expanded my comment for a bit
Himanshu Matta about 11 years

I tested this ...not working ..:(
ceejayoz over 10 years

It'll never work. Allowing .htaccess files to override the diable_functions setting would destroy the entire point of it for security.