We have a issue that just came to our notice, some of our developers used ini_set('memory_limit', -1) to over-ride the php.ini memory_limit settings in their code files.
Due to which sometimes our Memory/CPU usage is way far more than usual and we even have experienced server hanging/crashing many times.
Is there any way to restrict these changes for certain params like memory_limit, upload_max_filesize & post_max_size? Users should not be able to edit them after a certain limit set?
Sorry if i asked a dumb question, tried searching but there was no reference to this only found answers asking for increasing these parameters.
Best Answer
There are two options i know of to accomplish at least parts of your goal.
First php safe_mode, which might give your Devs a lot of additional work.
Suhosin www.hardened-php.net
When installed you can edit /etc/php5/conf.d/suhosin.ini and set:
suhosin.memory_limit = 512M
Qoute from Manual 1:
As long scripts are not running within safe_mode they are free to change the memory_limit to whatever value they want. Suhosin changes this fact and disallows setting the memory_limit to a value greater than the one the script started with, when this option is left at 0. A value greater than 0 means that Suhosin will disallows scripts setting the memory_limit to a value above this configured hard limit. This is for example usefull if you want to run the script normaly with a limit of 16M but image processing scripts may raise it to 20M.
Stackoverflow question for reference