Evren Yurtesen Advertisement
Home arrow Articles arrow Misc. Info arrow Tips,Tricks and Tweaks arrow Increasing PHP security via disable_functions
Wednesday, 20 August 2008
  
 
Main Menu
Home
News
Blog
Articles
Links
Downloads
Contact Us
Search
News Feeds
FAQs
Newsflash

The http://dev.yurtesen.com is officially opened! You can register and submit your articles and guides. We will examine them and publish.
 
Increasing PHP security via disable_functions Print
Written by Evren Yurtesen   
Friday, 05 October 2007

There are a few functions in PHP which allows access to things that the users do not need to know or use. Disabling these can increase security.

There are many functions which can be disabled in PHP using the disable_functions php.ini setting. This setting currently only functions from php.ini so one must be careful to not to disable a function which might be needed. Below is a list of functions which I found out that can be disabled and does not interfere with many PHP software around.

disable_functions = "apache_get_modules,apache_get_version,apache_getenv,apache_note,
                     apache_setenv,disk_free_space,diskfreespace,dl,
                     highlight_file,ini_alter,ini_restore,openlog,passthru,phpinfo,
                     proc_nice,shell_exec,show_source,symlink,system"

Please let me know if you find that any of these functions are needed for popular software to function.

Below are some other functions you can disable but you must use caution while doing so:

dl — Loads a PHP extension at runtime

This function is required for loading ionCube on the fly. However if you have a popular sites using ionCube then the better way is to load it from php.ini anyway. Not only because of speed increase, also you would be in control of ionCube versions so you can make sure that they match with your PHP versions.

exec — Execute an external program

This function is required for XCart and spellcheck feature of Horde. There is no good thing I can say about letting this function work. You could perhaps use safe_mode to designate a safebin environment where you let users to execute only the binaries you allow.

fsockopen — Open Internet or Unix domain socket connection

This function is unfortunately required for Virtuemart paypal module. Thus removed from the example above. You can add it if you are sure that it wont break anything in your system.

popen — Opens process file pointer

This function is required for XCart. Similar to the exec function and can be limited by using safe_mode. Too bad that PHP developers decided to drop safe_mode in php6 :( 

set_time_limit — Limits the maximum execution time

Disabling this function seems to effect gallery2. In either case a script would timeout when apache timeouts are reached which is 300 seconds by default. Thus it should be more or less safe to let this one unless the site in question is a very busy site and causing problems.

popen — Opens process file pointer

This function is used by MediaWiki when calling diff3 (used to merge 3 texts). It is also used by Horde while calling sendmail to send mail (does not effect Horde if SMTP is used for sending mail)

proc_open — Execute a command and open file pointers for input/output

This function is used by MediaWiki in Parser.php in a function. 
Last Updated ( Friday, 15 August 2008 )
 
< Prev   Next >
[ Back ]
Google Search
Donate For My Work

Amazon Search


 
Top!
© 2008 Evren Yurtesen
Joomla! is Free Software released under the GNU/GPL License.
 Top!