Individual php.ini files editable

I am trying to limit individual virtual server users from editing their own php.ini files in an attempt to stop them setting their own memory etc limits.

I have set to no, "Allow editing of PHP configuration" in Virtualmin>system settings>server templates>apache website. But still if I log into a virtual server with virtual server owner rights I can still modify the php.ini file with both the virtualmin/webmin gui as well as the file manager.

One thing I noticed is the php.ini file owner is set to the virtual server owner not "root" as the pop up help box explains.

If you need any further information please let me know.

Thanks Michael

Status: 
Closed (fixed)

Comments

Yes, there is no built-in way to prevent editing of php.ini currently.

However, you could write a script that runs after domain creation to chown it to root ownership. This might introduce other problems though, like failures when Virtualmin really does need to modify php settings, such as when installing a script.

Hi Jamie

Thanks for the reply. Is there anything that could be done in say the next release possibly ?

As you can see that allowing anyone to edit their own php.ini is not ideal in a shared platform.

Thanks Michael

Maybe .. but what php.ini settings are you trying to prevent users from editing? I suspect that many can be changed at run-time, so locking down php.ini doesn't really provide much security.

Hi Jamie

In a nut shell, If you are on a VPS for example and you have say 2 gig of ram that is shared between your customeer base, I didnt want/or trying to prevent a situation where one clever chap desides that he would like to alocate himself 1 gig or ram rather then say the 128 meg I may have otherwise budgeted for on his plan.

Thanks Michael

In that case, you might want to look into the Resource Limits feature of Virtualmin, which can set memory limits for all processes owned by a domain. This can be found at Administration Options -> Edit Resource Limits.

Hi Jamie

Sorry for the Noob question here but ..

If I wish to limit a server to say 128 meg total what would I add to these options given I dont know how many "proccesses" a server uses under "normal" operation. Is it 1 or 5 or 100 proccesses ? I am guessing that if there is 10 people on a website and 2 people emailing the server at the same time then would this mean the server is using 12 processes ? and if this is the case if I set a limit of 128 meg per process then would the ram usage be 12 x 128 meg ? and if this is correct then what happens to spamassain and clamav and all the other things in the backgrount running away doing there bit ?

Or am no where near the mark which is very possible.

Thanks Michael

The limit is per-process, not the total for the user unfortunately .. just like the PHP memory limit is set on a per-process basis.

Typically a domain will only have PHP processes running, unless the user logs in via SSH in which case there will be an additional shell process. The number of PHP processes is determined by the number of concurrent web requests.

Hi Jamie

Are you saying that the ONLY proccesses that these limits control/restrict is the apache/php proccesses ?

Are the other things like Spamassasin / Clamav etc not part of this limit ?

Regards Michael

PS I just did some reading on this, my understanding is the settings limit the User/Domain account which SA and Clamav etc are not part of...

Those limits affect any process owned by the user.

So they affect PHP, and any CGI scripts, which are all run as the user -- but not Apache, which is run as the Apache user.

SpamAssassin and ClamAV would typically run as a single daemon (which we recommend). That single daemon also is not run as the user, so those limits wouldn't apply to that either.

However, it does prevent a scripts owned by a user from taking up more resources than it's allocated, and that's a good way to protect other users in a shared hosting environment.

Hi Eric

Great, I'm on the same page now and can work with this.

But may I be so forward to ask is it possible to have an "option" added the VM to remove/hide the "php config" pages in the gui. I understand that if a user wants to edit it they can by going to the php.ini file directly, but if its not there to look at, its not there to fiddle with if you get my drift.

Thanks again all.

Michael

You can hide access to the PHP configuration page in Virtualmin as follows - just go to System Settings -> Server Templates -> Default Settings -> Administrator's Webmin modules , change "PHP Configuration (for domain's php.ini files)" to "No" and click "Save".

Thanks Jamie.. Just what I wanted ..

Feel free to mark this as closed....

Have a good Christmas

Michael

Automatically closed -- issue fixed for 2 weeks with no activity.