is it secure to let the customer use thire own php.ini?

Portal Home > Knowledgebase > Articles Database > is it secure to let the customer use thire own php.ini?

Posted by mshannaq, 07-12-2007, 11:12 AM
Hello, I have question in mind today while i'm running php as a cgi moudle and running SuExec , is it secure to let the customer use thire own php.ini file , for example /home/someuser/public_html/php.ini ?? while putting in mind that using thire own php.ini will let them to change the disable_function , so if there is any disable_functions in the original php.ini they can remove it for thire website. So is that action is secure for the server? Thanks,
Posted by net, 07-12-2007, 11:24 AM
Secure your php in the server :-)
Posted by mshannaq, 07-12-2007, 11:39 AM
sorry, i cannot understand you , i'm asking about php.ini file
Posted by lazat, 07-12-2007, 03:23 PM
i would say no, they could turn off safe mode and do other things. But you could give eatch customer their own php.ini but remove the rights to edit it. And if they need something you can validate it before you enter it in their config.
Posted by SPaReK, 07-12-2007, 04:16 PM
If you are running PHP as CGI, which I believe is the only way users can have a fully customized php.ini (suPHP or phpsuexec) then I believe the concerns over users having the ability to changed the php.ini file are a little less. No matter what changes the user makes to the php.ini file, anything they do in PHP is still going to be by their account owner. For example, if you have exec(), system(), and other like functions disabled server-wide, and if someone has their own php.ini file, they can re-enable those functions on their accounts. This could be a potential security risk, but no matter what is run, it will always be run by that account's username. If a PHP script is hacked or exploited, the only damage that the hacker would be able to do, would be to that account. All that being said, personally, I prefer not to allow end users to make php.ini adjustments on their own. I don't have a problem with end users requesting changes to a php.ini file for their account, but I prefer being the one that monitors these changes.
Posted by hbhb, 07-13-2007, 04:13 AM
Interesting topic. i'd like to learn how do I check if i'm currently running PHP as CGI?
Posted by ub3r, 07-13-2007, 04:23 AM
I think as long as you operate with open_basedir restrictions in effect, you should let your users do whatever they want with their php settings. This isn't the only method to customizing php either, if you're running mod_php, your users can always set settings via .htaccess. You'll want to check your phpinfo page.
Posted by ResellerPlanet, 07-13-2007, 06:59 AM
The disable_functions setting cannot be changed by the user via a user php.ini file or a .htaccess file, for security purposes. If your server is secured and monitored by applications such as PRM, etc I think it won't be a security problem if you let your users use their own php.ini file. They would be able to do things such as setting register_globals to on which might result in scripts vulnerable to SQL injection, but that's a problem on the customers end. If I recall correctly, users cannot re-enable such functions. I tested this myself once, it doesn't work. References: - http://www.webhostingtalk.com/showthread.php?t=195763 - http://be2.php.net/manual/en/ini.php#ini.list Last edited by ResellerPlanet; 07-13-2007 at 07:07 AM.
Posted by SPaReK, 07-13-2007, 10:02 AM
If a server is running PHP as CGI (suPHP, phpsuexec, custom PHP-CGI wrapper) then you won't be able to use .htaccess controls for PHP. You are correct, you are not able to enable or disable PHP functions with a .htaccess control anyway. If PHP is running as an Apache module, then there is only one, server-wide php.ini file that would control all PHP instances. If you are running phpsuexec on a cPanel server, you just have to have a php.ini file in the same directory as the PHP script you are executing and that php.ini file will be read instead of the server-wide one. A common misconception in regards to this, is that you only have to change the directives you want changed. This is wrong. If you are using a custom php.ini file in a directory, you need a complete php.ini with the desired values changed. With suPHP you have to tell suphp which directory to look for a custom php.ini file. I believe by default this can be done in a .htaccess file. However, I remove this functionality because, I prefer being the one that makes PHP directive changes for clients. At any rate, a complete copy of the php.ini file needs to be used with the desired changes made. If you are using a custom php-cgi wrapper, then controls for it depend on how that functionality is written. At any rate, if PHP is running as CGI, PHP directives are changed on an account by account basis through a customized php.ini file. Whether or not this is accomplished by the end user or by the server administrators depends on how the server is set up.
Posted by Tech Entrance, 09-13-2007, 03:34 PM
interesting thread