I'm having problems with Nextcloud inside an ISPC website. System's default fpm php.ini (all versions) has several disabled functions, one of which is posix_getpwuid. In ISPC under custom php.ini settings I've set a custom "disable_functions = xxx" containing all system's default disabled functions but excluded posix_getpwuid. The custom setting shows correctly in phpinfo, though Nextcloud keeps giving errors about posix_getpwuid being disabled. Only when I delete posix_getpwuid in system's default fpm php.ini the error goes away. It doesn't matter which PHP version I choose in ISPC. Somehow Nextcloud always defaults back to system's default fpm php.ini (the same version as choosen in ISPC) when it comes to disabled functions eventhough phpinfo outputs the correct custom setting. What am I missing or not seeing?
Personally, i would not install nextcloud inside a website directly. What I would do is to strat nextcloud as a Docker container, let that docker container listen on localhost on a unused port like 8090 and then add a proxy directive in that website to forward the traffic from that website to the nextvloud port. Such a setup makes maintenance and updates very easy and ISPConfig acts just as a proxy and also handles the SSL certificate with LE.
Besides what I wrote above, maybe you use some custom Apache or Nginx directives and these custom directives point PHP-FPM to the wrong socket?
Ofcourse there are custom directives, but not pointing to the wrong socket. Otherwise phpinfo would output system's default php.ini, which it doesn't.
It's as if the disable_functions setting can't be overwritten while other settings can be and eventhough phpinfo is showing the new value. I'm looking everywhere to find if it could be PHP default behavior but keep coming up empty.
It's possible that you can't override it. Check the PHP-FPM pool file for this website, if the directive is in there, then ISPConfig did its job, which means it can to be overridden on website basis. But as I mentioned before, I recommend running it as Docker image. This will solve your current issue and it will help you a lot in future with updates.
I've been running it for years like that without any problems. Though that old server had no disabled php functions. Docker and proxying isn't a solution at all. It will throw disabled_functions down the toilet and with that the tightend security it's giving. Leaving me with indeed a working Nextcloud but less secure. It's there. That's why phpinfo is showing it correctly in it's output. But it seems to be ignored by Nextcloud somehow.
I would say the exact opposite is the case. Nextcloud is securely contained in a virtual Docker environment, so even if it would get hacked, this would not affect any other site or user. And in case you want to modify the official Docker container by providing a more secure PHP configuration than what the Nextcloud makers consider appropriate, you can still do that with a Docker file (or maybe the image already provides an option for that by default). Nextcloud is a PHP application, so it can not ignore a security setting as PHP enforces it. If a PHP application would be able to ignore such settings, it would not make sense to set them. maybe you could post the custom config you use for that site and if its an Apache server, post also the content the .htaccess file, if such a file exists in that site.
You're right about systemwide security. I was more or less refering to nextcloud. Been looking into docker and customization possibilities. There are some. Just one other big problem. The webserver, and with that nextcloud, is a 2 node cluster. Docker cluster? No thank you My thoughts exactly. But the fact is at least the custom disable_features does get ignored! I'm running Ubuntu 24.04 with multiple php versions and nginx. The nextcloud websites uses php 8.3. After setting "disable_functions = xxx" excluding posix_getpwuid in custom php.ini settings of the website in ISPC nextcloud still complains that posix_getpwuid is disabled eventhough phpinfo reflects the correct custom setting (thus without posix_getpwuid). Only when I remove posix_getpwuid in /etc/php/8.3/fpm/php.ini the error goes away in nextcloud. Attached is the somewhat cleaned up vhost config. There you'll see php uses the website's socket and not the system's general socket, which is why phpinfo's output is correct.
