CustomBuild secure_php
One could use the CustomBuild option secure_php to make their PHP installations more secure. It will edit the php.ini for each PHP version to disable PHP functions that are commonly abused. The default setting is secure_php=no.
How to enable secure_php
To use this option, run the following commands:
cd /usr/local/directadmin/custombuild/
./build secure_php
These commands will:
- enable
secure_phpby changing it from 'no' to 'yes' in the CustomBuild configuration (/usr/local/directadmin/custombuild/options.conf) - secure each PHP installation by editing their respective `php.ini files' settings (if applicable):
- disable_functions
- expose_php
- mysqli.allow_local_infile OR mysql.allow_local_infile
- register_globals (deprecated since PHP 5.3 and removed as of PHP 5.4)
These settings will be modified as follows:
disable_functions = exec,system,passthru,shell_exec,proc_close,proc_open,dl,popen,show_source,posix_kill,posix_mkfifo,posix_getpwuid,posix_setpgid,posix_setsid,posix_setuid,posix_setgid,posix_seteuid,posix_setegid,posix_uname
mysqli.allow_local_infile = Off
expose_php = Off
register_globals = Off
Of the modified settings, only disable_functions is added if it doesn't exist already. The other settings will be set to 'Off' only if they existed already and were enabled.
You can confirm the process completed by either checking for the changes in the php.ini file, or by checking for entries similar to the following example output in the /usr/local/directadmin/custombuild/custombuild.log:
[root@host custombuild]# grep -Ri 'secure_phpini:' custombuild.log
2020-07-13 04:47:07 97.85.XXX.XXX: secure_phpini: /usr/local/php56/lib/php.ini secured
2020-07-13 04:47:07 97.85.XXX.XXX: secure_phpini: /usr/local/php70/lib/php.ini secured
2020-07-13 04:47:07 97.85.XXX.XXX: secure_phpini: /usr/local/php73/lib/php.ini secured
2020-07-13 04:47:07 97.85.XXX.XXX: secure_phpini: /usr/local/php74/lib/php.ini secured
[root@host custombuild]#
Note that for CloudLinux servers, ./build secure_php will secure /etc/cl.selector/global_php.ini and then run cagefsctl --setup-cl-selector.
How to customize the disable_functions list
If you were to try to manually edit disable_functions in a php.ini file, your customizations likely won't be preserved and will be overwritten the next time you build PHP.
To customize the list of functions that are disabled so that you can add/remove functions from the list, you can do the following where your custom comma-delimited list of php functions to disable are :
cd /usr/local/directadmin/custombuild
mkdir -p custom
echo "exec,system,passthru,shell_exec,proc_close,proc_open,dl,popen,show_source,posix_kill,posix_mkfifo,posix_getpwuid,posix_setpgid,posix_setsid,posix_setuid,posix_setgid,posix_seteuid,posix_setegid,posix_uname" > custom/php_disable_functions
./build secure_php
For example, let's say that you only want exec disabled. In that case, you'd run this:
cd /usr/local/directadmin/custombuild
mkdir -p custom
echo "exec" > custom/php_disable_functions
./build secure_php
Now, you can check and confirm the disable_functions for all PHP versions like so:
grep disable_functions /usr/local/php*/lib/php.ini
How to revert secure_php changes
If for some reason you decide that you need to revert these changes, there are a few ways to do so, but beware that this first method will involve overwriting any customizations you have already by replacing the php.ini with a default php.ini.
cd /usr/local/directadmin/custombuild; ./build set secure_php no; ./build set php_ini yes; ./build php_ini
Make sure to run ./build set php_ini no when you are done so that the php.ini isn't rebuilt anew each time you ./build php or ./build all.
If you just need to revert the changes done to disable_functions, you may consider the following option, which would allow you to retain any other customizations you have.
- Simply overwrite any list of functions in
custom/php_disable_functionsto an empty string and run./build secure_phpagain:
echo "" > custom/php_disable_functions
./build secure_php
That should clear the disable_functions so that no functions are disabled via this setting.