Disabling PHP Functions with SUHOSIN and Optionally cPanel/WHM
If your server has SUHOSIN installed/enabled, regardless of whether you have cPanel/WHM or not, this should work for you. Disabling PHP functions using the 'disable_functions'
section of your php.ini file won’t really work too well if you using SUHOSIN. Instead, comment out the 'function_disable'
line and add the following under neath it:
suhosin.executor.func.blacklist = "show_source,shell_exec,passthru,exec,popen,allow_url_fopen,system"
Of course your list of disabled features may not be the same as the example above, so be sure to add or delete the functions you want disabled or enabled from the list. Once you are done, restart apache and check your results with a phpinfo.php file. The following code inside a phpinfo.php file should do it:
<?php
phpinfo();
?>
Save the file and access it via your browser.
Search the page for the following value:
suhosin.executor.func.blacklist
The Local Value and Master Value should contain the following (as per the example in this case).
show_source,shell_exec,passthru,exec,popen,allow_url_fopen,system
Some plugins (cPanel or Other) may still complain that these functions are not disabled. You can rest assured, that they are disabled. In the case of wanting to simply please the software application (content management system etc) you can still add the entries as desired using the 'disable_functions'
section of your php.ini file, although they won’t actually have any affect, as the values are overridden by the suhosin line. In some cases, apache may complain about both lines existing, in which case you may have to modify the software application to skip the check instead.
What about if I want to enable a feature for one particular domain?
If you want to enable or disable feature/s for one particular domain, a custom configuration can be set. On a standard server without cPanel/WHM, you would edit the vhost for the domain concerned. This may be the main /etc/httpd/conf/httpd.conf file or it may be an include file. This will depend on your servers configuration. The short of it is, you simply add the following line to the end of the vhost configuration for the particular domain:
php_admin_value suhosin.executor.func.blacklist 'show_source,popen,allow_url_fopen,system'
In the above example, I’ve allowed shell_exec and passthru by not specifying them in the blacklist. If you browse to your phpinfo.php file, you’ll notice the Local Value and Master Value are now different. The local value is the configuration on the domain concerned, the master value is the server wide global configuration. Note: you need to be visiting the phpinfo.php file via the domain or dedicated IP Address of the domain you are making the change for.
The process is exactly the same on servers with cPanel/WHM. The only difference is that editing the /etc/httpd/conf/httpd.conf is discouraged, as future re-compiles of apache and updates of cPanel/WHM can cause the changes to be lost. Instead, each vhost in the /etc/httpd/conf/httpd.conf file should have one or some of the following lines at the end of the vhost section:
Include "/usr/local/apache/conf/userdata/*.conf"
Include "/usr/local/apache/conf/userdata/*.owner-username"
Include "/usr/local/apache/conf/userdata/std/*.conf"
Include "/usr/local/apache/conf/userdata/std/*.owner-username"
Include "/usr/local/apache/conf/userdata/std/2/*.conf"
Include "/usr/local/apache/conf/userdata/std/2/*.owner-username"
Don’t worry if you don’t have all of the above lines, or they don’t look exactly the same. So long as you can see an include line to a directory, that is all you need. Go to that directory (in this example I’m using Include "/usr/local/apache/conf/userdata/std/*.conf"
and create a file called domainname.conf or username.conf (so long as it ends in .conf). Edit the file and place the following line in it:
php_admin_value suhosin.executor.func.blacklist 'show_source,popen,allow_url_fopen,system'
Save your file and restart apache
/etc/httpd/init.d/httpd restart
Browse to your phpinfo.php file and compare the Local Value against the Master Value. They should be different!
If you have any feedback, troubles or would like some additional assistance, be sure to let me know in the comments.