Hi there, Usually, for all my php-fpm/php.ini, I attach these line for security: disable_functions = exec, system, shell_exec, etc..... It is a great feature, as lammers or code exploiters are always trying to gain access to a custom php and call to system binaries to perform attacks. Problem here, is the nature of the php.ini's disable_functions array: if disable_functions is fixed in php.ini, you cannot override disable_functions from custom php settings for a site or fpm user.... you cannot replace or remove disabled functions, only add new functions to the array. So if exec() is listed in php.ini's disable_functions, it is impossible to override from php_admin_value[disable_functions]... So we have only one alternative: - empty disable_functions at php.ini and set for all configured domains as php_admin_value[disable_functions] through ispconfig/sites... I suggest the following instead: - ispconfig configures default disable_functions IF AND ONLY IF no php_admin_value[disable_functions] is customized through ispconfig/sites... For that, php_fpm_pool.conf.master should include: Code: ... ... <tmpl_loop name="custom_php_ini_settings"> <tmpl_var name='ini_setting'> </tmpl_loop> ... ... <tmpl_unless name="disable_functions_bool"> php_admin_value[disable_functions] = apache_note,apache_setenv,chgrp,curl_multi_exec,dbase_open,dbmopen,debugger_off,debugger_on,define_sys,define_syslog_variables,diskfreespace,dl,escapeshellarg,escapeshellcmd,eval,exec,fopen_with_path,fpassthru,getmyuid,_getppid,highlight_file,ini_restore,leak,listen,parse_ini_file,passthru,pcntl_alarm,pcntl_async_signals,pcntl_exec,pcntl_fork,pcntl_get_last_error,pcntl_getpriority,pcntl_setpriority,pcntl_signal,pcntl_signal_dispatch,pcntl_signal_get_handler,pcntl_sigprocmask,pcntl_sigtimedwait,pcntl_sigwaitinfo,pcntl_strerror,pcntl_unshare,pcntl_wait,pcntl_waitpid,pcntl_wexitstatus,pcntl_wifcontinued,pcntl_wifexited,pcntl_wifsignaled,pcntl_wifstopped,pcntl_wstopsig,pcntl_wtermsig,phpinfo,popen,posix,posix_ctermid,posix_getcwd,posix_getegid,posix_geteuid,posix_getgid,posix_getgrgid,posix_getgrnam,posix_getgroups,posix_getlogin,posix_getpgid,posix_getpgrp,posix_getpid,posix_getpwnam,posix_getpwuid,posix_getrlimit,posix_getsid,posix_isatty,posix_kill,posix_mkfifo,posix_setegid,posix_seteuid,posix_setgid,posix_setpgid,posix_setsid,posix_setuid,posix_times,posix_ttyname,posix_uname,proc_close,proc_get_status,proc_nice,proc_open,proc_terminate,shell_exec,show_source,system,url_exec </tmpl_unless> Notice the disable_functions_bool variable... While in plugin nginx_plugin.inc.php Code: ... ... $tpl->setVar('custom_session_save_path', ($custom_session_save_path ? 'y' : 'n')); $tpl->setVar('custom_sendmail_path', ($custom_sendmail_path ? 'y' : 'n')); // HERE IS THE INSERTED CODE //////////////////////////////////////////////////////////// $disable_functions_bool = false; foreach ($final_php_ini_settings as $setting) { if (strpos($setting['ini_setting'], 'disable_functions') !== false) { $disable_functions_bool = true; break; } } $tpl->setVar('disable_functions_bool', $disable_functions_bool); ////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// $tpl->setLoop('custom_php_ini_settings', $final_php_ini_settings); ... ... With this, anyone could configure a customized and defaulted disable_functions array for every site, but this configuration may easily overriden if someone configures his own disable_functions for a site under php custom settings... Just an idea. Thanks
