avoid customer to use his own php.ini

Discussion in 'ISPConfig 3 Priority Support' started by tr909192, Aug 23, 2020.

  1. tr909192

    tr909192 Member HowtoForge Supporter

    Dear,

    for a security related issue we really need to stop the ability to the customer to use his own php.ini (in order to avoid malicious use of open_basedir disabled).
    Someone know if it's possible to configure the php (installed following the perfect server setup) to avoid that?

    ty
     
    tr909192, Aug 23, 2020
    #1
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Set:

    user_ini.filename =

    in the global.php.ini and restart apache and php-fpm daemons.
     
    till, Aug 23, 2020
    #2
  3. tr909192

    tr909192 Member HowtoForge Supporter

    Sure but i think that this could be overridden by a malicious users.
     
    tr909192, Aug 23, 2020
    #3
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    No, how should he be able to do that? Only the Linux root user and the ISPConfig Administrator can overwrite that setting.
     
    till, Aug 23, 2020
    #4
  5. tr909192

    tr909192 Member HowtoForge Supporter

    Ok i'll try that way. I think that i need to modify also /var/www/conf/*/ php.ini file others that the global one. For the domain that has some custom spec on the ispconfig php configuration field.
     
    tr909192, Aug 23, 2020
    #5

Share This Page