PDA

View Full Version : restrict PHP functions (e.g. exec,shell_exec,system,dl,...etc) by domains

roy
07-02-2005, 06:03 PM
Chris & Co,

I was wondering if it is a good feature to be able to restrict PHP functions (e.g. exec,shell_exec,system,dl,...etc) by domains. Hell Im not even sure if its possible at all. I just have a hunch that you guys can pull it. :D

AFAIK, no control panel on the market is able to do this.
The only thing we can do is restrict the whole server via php.ini
Some honest customers running some applications might need access to the EXEC function. We can give it to him.
We will disable functions for some suspicious looking customers. e.g. a customer who signed up with the email h4xx0r@haxx-R-us.com

Others who think that this is a good feature please post something here.

Cheers.
IWorx-Chris
07-02-2005, 10:03 PM
I do think it'd be a good feature but as of yet it's not possible on a per vhost basis, I wish it were.

Here's the corresponding php docs on the subject:

http://us3.php.net/manual/en/features.safe-mode.php#ini.disable-functions

Chris
roy
07-02-2005, 10:46 PM
Ahhh that sucks, Chris!
:(

disable_functions directive can not be used outside of the php.ini file which means that you cannot disable functions on a per-virtualhost or per-directory basis
Doobla
07-18-2005, 01:09 PM
I believe ensim is able to achieve this because if the way that they implement php in High Security sites. PHP scripts are run as cgi and each site has its own copy of the php.ini file. Perhaps this is something interworx can implement as an option that can be turned on/off?

I'm very interested in interworx in general and if they could implement some of the stuff I've come to like about ensim (since they're already handling the stuff I didn't like about ensim :P) then I could see myself coming over to the dark side....

Jon
IWorx-Chris
07-18-2005, 02:09 PM
We have plans to do so Jon. There are a few methods that work well and suPHP w/dedicated php.ini we have working internally which allows all php scripts to run chmod 600 with dirs chmod 700 and owned/grouped to the user. We'll definitely be making this a reality in a coming release.

Chris
roy
07-18-2005, 07:30 PM
I am currently using VPS to separate accounts that need special php.ini configuration but I like the proposed solution by doobla better.

That is why I like Interworx.
I can tell you guys are really trying hard to make this a better product instead on resting on your laurel after you have a working version.
Keep it up!
IWorx-Chris
07-19-2005, 09:11 AM
There's no resting here roy :).