These forums are locked and archived, but all topics have been migrated to the new forum. You can search for this topic on the new forum: Search for Safe to disable some php functions? on the new forum.
Web Hosting and Cloud Computing Control Panels
It's safe, as in, you won't break Webmin or Virtualmin by disabling those, as they're purely Perl-based.
What I can't speak to is what PHP apps will break without those functions :-)
Any number of PHP apps could use those, you just may need to search through the PHP code and verify those functions aren't in any apps you want to run (including those installed by Virtualmin's Install Scripts).
-Eric
I would recommend `tail -f /var/log/php.log` if some applications behaves odd. IMHO better approach, than grep the source code;-)
Assuming you're running everything under suexec (which we recommend), I don't think I agree that any of these are "major security holes".
--
Check out the forum guidelines!
How can I verify if those functions run under suexec?
Perhaps its a legacy of my Plesk days.
"those functions" is sort of nonsensical. Either you are running your applications under suexec, or you are not. There is no choosing what functions run under suexec.
Do you have SuexecUserGroup in your httpd.conf? And is PHP configured to run as either CGI or FastCGI (with wrappers owned by the user)? If both of those is true, then you are. If either of those is not true, then you aren't (and, as far as I'm concerned no amount of fiddling with PHP configuration is going to make it secure in an environment with non-trusted users).
--
Check out the forum guidelines!
in php.ini the directive is "disabled functions= blah , blah. Fair to say then "those functions"; hardly nonsnesical.
I'll check out your suggestions. Thanks
I mean it's nonsensical to say "if those functions run under suexec". Either PHP is or is not running under suexec--nothing in php.ini has any impact on whether it is running under suexec, including the disabled functions directive.
--
Check out the forum guidelines!