Hello these days we are installing a Magento 2 system on a host created via the IspConfig 3 (Version: 3.2.11) panel. My panel is installed on a Debian 11 VPS with Apache, PHP-FPM, 8 vCPU, and 32GB vRAM. In all of our Ispconfig systems, we use our own php.ini file which provides us with security on all of our hosts, this file includes the following wording: Code: disable_functions = "popen,apache_get_modules,apache_get_version,apache_getenv,apache_note,apache_setenv,disk_free_space,diskfreespace,dl,highlight_file,ini_alter,ini_restore,openlog,proc_nice,show_source,symlink,system,shell_exec,exec" By testing an import/export product module on one of our ecommerce applications, we see that the application needs the php exec() function to execute actions in cron by cli automatically: Code: [2024-01-30T11:35:33.811354+00:00] main.CRITICAL: Error: Call to undefined function Magento\Framework\exec() in /var/www/clients/clientX/webXXX/web/vendor/magento/framework/Shell.php:60 So far so good... I check from the panel and within my custom php settings I enter the following: Code: disable_functions = "popen,apache_get_modules,apache_get_version,apache_getenv,apache_note,apache_setenv,disk_free_space,diskfreespace,dl,highlight_file,ini_alter,ini_restore,openlog,proc_nice,show_source,symlink,system,shell_exec" to enable the function required by the application. II run a test with phpinfo() on my application to check that my changes have been updated correctly and display the disabled functions as per my changes and find no problems. All functions are disabled except exec(). I re-test the functionality of my Magento 2 but still find the error on the previously reported exec() function. Thinking it was an application-side error (magento often has problems with path, url base or similar) I try to make a very simple test script of the offending function on an identical host similar to the following: Code: <?php $command = 'ls -lah'; exec($command, $output, $exitCode); echo '<pre>'; print_r( $output ); die(); but despite my modification on the panel I still get the following error: Code: [Wed Jan 31 12:30:09.099989 2024] [proxy_fcgi:error] [pid 1711635] [client 213.152.200.12:51914] AH01071: Got error 'PHP message: PHP Fatal error: Uncaught Error: Call to undefined function exec() in /var/www/clients/clientX/webXX/web/index.php:4\nStack trace:\n#0 {main}\n thrown in /var/www/clients/clientX/webXX/web/index.php on line 4' After days of tests and trials, the only solution I found was to edit the default global php.ini file in /etc/php/8.1/fpm/php.ini, removing the offending function from there, but this globally unlocks the function and puts all vhosts using php version 8.1 at security risk. I have also tried removing all functions from disabled_function via the panel, but there seems to be no real change. Am I doing something wrong? Is it possible to do as I have described? I hope I have explained myself well. Kind regards and good work.
Code: ##### SERVER ##### IP-address (as per hostname): ***.***.***.*** [WARN] could not determine server's ip address by ifconfig [INFO] OS version is Debian GNU/Linux 11 (bullseye) [INFO] uptime: 09:48:04 up 13 days, 20:12, 1 user, load average: 2.76, 3.07, 3.16 [INFO] memory: total used free shared buff/cache available Mem: 31Gi 24Gi 1.3Gi 455Mi 5.5Gi 5.8Gi Swap: 979Mi 979Mi 0B [INFO] systemd failed services status: UNIT LOAD ACTIVE SUB DESCRIPTION ● certbot.service loaded failed failed Certbot LOAD = Reflects whether the unit definition was properly loaded. ACTIVE = The high-level unit activation state, i.e. generalization of SUB. SUB = The low-level unit activation state, values depend on unit type. 1 loaded units listed. [INFO] ISPConfig is installed. ##### ISPCONFIG ##### ISPConfig version is 3.2.11 ##### VERSION CHECK ##### [INFO] php (cli) version is 7.4.33 [INFO] php-cgi (used for cgi php in default vhost!) is version 7.4.33 ##### PORT CHECK ##### ##### MAIL SERVER CHECK ##### ##### RUNNING SERVER PROCESSES ##### [INFO] I found the following web server(s): Apache 2 (PID 296094) Unknown process (nginx:) (PID 3383694) [INFO] I found the following mail server(s): Unknown process (smtpd) (PID 416335) [INFO] I found the following pop3 server(s): Dovecot (PID 754972) [INFO] I found the following imap server(s): Dovecot (PID 754972) [INFO] I found the following ftp server(s): PureFTP (PID 2917469) ##### LISTENING PORTS ##### (only () Local (Address) [anywhere]:81 (144905/varnishd) [anywhere]:465 (789319/master) [anywhere]:21 (2917469/pure-ftpd) ***.***.***.***:53 (523/named) ***.***.***.***:53 (523/named) ***.***.***.***:53 (523/named) ***.***.***.***:53 (523/named) ***.***.***.***:53 (523/named) ***.***.***.***:53 (523/named) ***.***.***.***:53 (523/named) ***.***.***.***:53 (523/named) ***.***.***.***:53 (523/named) ***.***.***.***:53 (523/named) ***.***.***.***:53 (523/named) ***.***.***.***:53 (523/named) ***.***.***.***:53 (523/named) ***.***.***.***:53 (523/named) ***.***.***.***:53 (523/named) ***.***.***.***:53 (523/named) [localhost]:53 (523/named) [localhost]:53 (523/named) [localhost]:53 (523/named) [localhost]:53 (523/named) [localhost]:53 (523/named) [localhost]:53 (523/named) [localhost]:53 (523/named) [localhost]:53 (523/named) [anywhere]:22 (595/sshd:) [anywhere]:25 (416335/smtpd) [localhost]:953 (523/named) ***.***.***.***:443 (296094/apache2) ***.***.***.***:443 (3383694/nginx:) [anywhere]:2812 (58402/monit) [anywhere]:993 (754972/dovecot) [localhost]:6082 (144905/varnishd) [anywhere]:995 (754972/dovecot) [localhost]:11332 (533/rspamd:) [localhost]:11333 (533/rspamd:) [localhost]:11334 (533/rspamd:) [localhost]:10023 (719/postgrey) [localhost]:10024 (611/amavisd-new) [localhost]:10025 (789319/master) [localhost]:10026 (611/amavisd-new) [localhost]:10027 (789319/master) [anywhere]:587 (789319/master) [localhost]:11211 (73907/memcached) [localhost]:6379 (532/redis-server) [anywhere]:110 (754972/dovecot) [anywhere]:143 (754972/dovecot) ***.***.***.***:8080 (296094/apache2) ***.***.***.***:80 (296094/apache2) ***.***.***.***:80 (3383694/nginx:) *:*:*:*::*:81 (144905/varnishd) *:*:*:*::*:8081 (296094/apache2) *:*:*:*::*:465 (789319/master) [localhost]:9300 (3265097/java) *:*:*:*::*:9300 (3265097/java) *:*:*:*::*:21 (2917469/pure-ftpd) *:*:*:*::*:4949 (687398/perl) *:*:*:*::*:53 (523/named) *:*:*:*::*:53 (523/named) *:*:*:*::*:53 (523/named) *:*:*:*::*:53 (523/named) *:*:*:*::*:53 (523/named) *:*:*:*::*:53 (523/named) *:*:*:*::*:53 (523/named) *:*:*:*::*:53 (523/named) *:*:*:*::*c84e:c4ff:fe32:53 (523/named) *:*:*:*::*c84e:c4ff:fe32:53 (523/named) *:*:*:*::*c84e:c4ff:fe32:53 (523/named) *:*:*:*::*c84e:c4ff:fe32:53 (523/named) *:*:*:*::*c84e:c4ff:fe32:53 (523/named) *:*:*:*::*c84e:c4ff:fe32:53 (523/named) *:*:*:*::*c84e:c4ff:fe32:53 (523/named) *:*:*:*::*c84e:c4ff:fe32:53 (523/named) *:*:*:*::*:22 (595/sshd:) *:*:*:*::*:25 (416335/smtpd) *:*:*:*::*:953 (523/named) *:*:*:*::*:2812 (58402/monit) *:*:*:*::*:993 (754972/dovecot) *:*:*:*::*:6082 (144905/varnishd) *:*:*:*::*:995 (754972/dovecot) *:*:*:*::*:11332 (533/rspamd:) *:*:*:*::*:11333 (533/rspamd:) *:*:*:*::*:11334 (533/rspamd:) *:*:*:*::*:10023 (719/postgrey) *:*:*:*::*:10024 (611/amavisd-new) *:*:*:*::*:3306 (3944522/mariadbd) *:*:*:*::*:10026 (611/amavisd-new) *:*:*:*::*:587 (789319/master) *:*:*:*::*:6379 (532/redis-server) [localhost]10 (754972/dovecot) [localhost]43 (754972/dovecot) [localhost]:9200 (3265097/java) *:*:*:*::*:9200 (3265097/java) ##### IPTABLES ##### Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination ##### LET'S ENCRYPT ##### Certbot is installed in /usr/bin/letsencrypt
Does disable_functions get listed correctly in the PHP-FPM pool file? If yes, then maybe PHP has some limitations that this setting can not be overridden via pool file?
my disable_functions is correctly valued in the php-fpm pool, if I do a phpinfo() with the changes from the panel I see the functions removed or added as I valued them on the panel while in the main php.ini they remain correctly valued but not working Emh.. it was not in my knowledge that disable_function must have the functions in a certain sorting... on all LAMP and MAMP servers without panel we have we use the above sorting but do not encounter this problem when changing the configuration of a single site, I only encounter this problem on machines with IspConfig 3.X installed
So this works fine and the custom config overrides the php.ini file as it should be. So maybe your issue is not in ISPConfig overriding php config values but in a custom config that you might use in apache directives field or a .htaccess file that overrides the settings done by ispconfig e.g. by forcing the site to use a different php-fpm process (e.g. the global www-data php-fpm process instead the one of that website) by setting a wrong path to the socket manually.
