Php – How to allow just one site to use PHP’s exec() function

apache-2.4PHP

I have a simple Apache with mod_php server on CentOS 7. I've disabled the exec function in php.ini but I need to use it on one Vhost. Now obviously I know I can't use multiple php.ini files and I know I can't change the disable_functions setting outside of the php.ini file, so I tried toying with other ideas.

Obviously my first option was to use fastcgi, or suPHP, etc. but I couldn't get them to work without breaking the server, and whilst I probably could eventually make them work, I'd rather find a different solution and stick with the simple mod_php.

My second thought was to install Nginx and php-fpm and get it to listen on another port, but despite setting disable_functions to an empty value, it still read the php.ini file as well and thus disabled the php_exec function.

So is there a relatively simple way of achieving this without having to reset up Apache with fastcgi?

Best Answer

Well I have a pretty good answer, thanks to pointers from Aaron

Install Suhosin using this

yum install php-devel

wget http://download.suhosin.org/suhosin-0.9.33.tgz

tar -xvf suhosin-0.9.33.tgz

cd suhosin-0.9.33

phpize

./configure

make

make install

echo 'extension=suhosin.so' > /etc/php.d/suhosin.ini

service httpd restart

yum install php-devel

yum install php-suhosin

Add this to the bottom of php.ini file (a list of functions to blacklist):

suhosin.executor.func.blacklist = “exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source”

Finally, to the VirtualHost that should be allow to use the disabled functions, add this:

php_admin_value suhosin.executor.func.blacklist =

Suhosin forces a script to exit when it reaches a function that is blacklisted, rather than ignoring the function like the native disable functions setting.

Related Topic