The CustomBuild secure_php option

One could use the CustomBuild option secure_php to make their PHP installations more secure. It will edit the php.ini for each PHP version to disable PHP functions that are commonly abused. The default setting is secure_php=no.

How to enable secure_php

To use this option, run the following commands:

cd /usr/local/directadmin/custombuild/
./build secure_php
1
2

These commands will:

  • enable secure_php by changing it from 'no' to 'yes' in the CustomBuild configuration (/usr/local/directadmin/custombuild/options.conf)
  • secure each PHP installation by editing their respective `php.ini files' settings (if applicable):
    • disable_functions
    • expose_php
    • mysqli.allow_local_infile OR mysql.allow_local_infile
    • register_globals (deprecated since PHP 5.3 and removed as of PHP 5.4)

These settings will be modified as follows:

disable_functions = exec,system,passthru,shell_exec,proc_close,proc_open,dl,popen,show_source,posix_kill,posix_mkfifo,posix_getpwuid,posix_setpgid,posix_setsid,posix_setuid,posix_setgid,posix_seteuid,posix_setegid,posix_uname
mysqli.allow_local_infile = Off
expose_php = Off
register_globals = Off
1
2
3
4

Of the modified settings, only disable_functions is added if it doesn't exist already. The other settings will be set to 'Off' only if they existed already and were enabled.

You can confirm the process completed by either checking for the changes in the php.ini file, or by checking for entries similar to the following example output in the /usr/local/directadmin/custombuild/custombuild.log:

[root@host custombuild]# grep -Ri 'secure_phpini:' custombuild.log 
2020-07-13 04:47:07 97.85.XXX.XXX: secure_phpini: /usr/local/lib/php.ini secured
2020-07-13 04:47:07 97.85.XXX.XXX: secure_phpini: /usr/local/php56/lib/php.ini secured
2020-07-13 04:47:07 97.85.XXX.XXX: secure_phpini: /usr/local/php70/lib/php.ini secured
2020-07-13 04:47:07 97.85.XXX.XXX: secure_phpini: /usr/local/php73/lib/php.ini secured
2020-07-13 04:47:07 97.85.XXX.XXX: secure_phpini: /usr/local/php74/lib/php.ini secured
[root@host custombuild]# 
1
2
3
4
5
6
7

Note that for CloudLinux servers, ./build secure_php will secure /etc/cl.selector/global_php.ini and then run cagefsctl --setup-cl-selector.

How to customize the disable_functions list

If you were to try to manually edit disable_functions in a php.ini file, your customizations likely won't be preserved and will be overwritten the next time you build PHP.

To customize the list of functions that are disabled so that you can add/remove functions from the list, you can do the following where your custom comma-delimited list of php functions to disable are :

cd /usr/local/directadmin/custombuild
echo "exec,system,passthru,shell_exec,proc_close,proc_open,dl,popen,show_source,posix_kill,posix_mkfifo,posix_getpwuid,posix_setpgid,posix_setsid,posix_setuid,posix_setgid,posix_seteuid,posix_setegid,posix_uname" > custom/php_disable_functions
./build secure_php
1
2
3

For example, let's say that you only want exec disabled. In that case, you'd run this:

cd /usr/local/directadmin/custombuild
echo "exec" > custom/php_disable_functions
./build secure_php

1
2
3
4

Now, you can check and confirm the disable_functions for all PHP versions like so:

grep disable_functions /usr/local/php*/lib/php.ini
1

How to revert secure_php changes

If for some reason you decide that you need to revert these changes, there are a few ways to do so, but beware that this first method will involve overwriting any customizations you have already by replacing the php.ini with a default php.ini.

  1. cd /usr/local/directadmin/custombuild; ./build set secure_php no; ./build set php_ini yes; ./build php_ini

Make sure to run ./build set php_ini no when you are done so that the php.ini isn't rebuilt anew each time you ./build php or ./build all.

If you just need to revert the changes done to disable_functions, you may consider the following option, which would allow you to retain any other customizations you have.

  1. Simply overwrite any list of functions in custom/php_disable_functions to an empty string and run ./build secure_php again:
echo "" > custom/php_disable_functions
./build secure_php
1
2

That should clear the disable_functions so that no functions are disabled via this setting.

Last Updated: 6/23/2021, 9:36:08 PM