PDA

View Full Version : Tutorial: how to enale PHP function like "exec" for only one cPanel account from WHM



Fli
05-06-2014, 08:15 PM
Prologue

This stupid issue took me alot of time to solve so im creating this topic for myself and also other readers.

You have WHM/cPanel server and you have some client who require some PHP function to be enabled. Example functions: show_source, system, passthru, exec, shell_exec, popen, proc_open, allow_url_fopen

These functions are recommended to be disabled because it can hurt server security. If you believe in your client, then you can enable it for his account only.

So how to do this. It may not work for all PHP handlers (CGI, FastCGI, SuPHP, PDO).

I used SuPHP handler and this worked for my WHM/Cpanel server:
1. backup global server php.ini file, in my case: /usr/local/lib/php.ini
2. Open above mentioned php.ini
3. paste following code to the end of the file:


[PATH=/home/AccountNameWhereWantToAllowSomeFunction/public_html]
disable_functions = "show_source, system, passthru, shell_exec, popen, proc_open, allow_url_fopen"

4. Then lookup for disable_functions directive instance in same file. Simply, first disable_functions directive should list php functions disabled for all accounts, globally. And by adding above mentioned code to the end of /usr/local/lib/php.ini file, you set special set of disabled functions just for mentioned PATH (user account).

5. Once file is saved, chnages should be instant.

One can veriffy that functions are enabled/disabled by using this php file (http://internetlifeforum.com/php-mysql-forum/1946-php-script-show-disabled-functions/).

that is all. veriffy all websites working after your change, you may try also restarting httpd/apache.

If above did NOT worked, one can do following:

Edit suPHP configuration file:

vi /opt/suphp/etc/suphp.conf

find this:

[phprc_paths]
;Uncommenting these will force all requests to that handler to use the php.ini
;in the specified directory regardless of suPHP_ConfigPath settings.
;application/x-httpd-php=/usr/local/lib/
;application/x-httpd-php4=/usr/local/php4/lib/
;application/x-httpd-php5=/usr/local/lib/

and uncomment (remove ";" mark infront of them) those 3 directives and then restart Apache. As the text indicates, this will force all suPHP requests to use /usr/local/lib/php.ini for configuration options.




=============

Warning: Please read and use following text only if you have time to spend/play/waste. Its not veriffied tutorial.

How to enable PHP function on one cPanel only?

First install Suhosin:

WHM / Software / EasyApache (Apache Update) / Start customizing based on profile / Next Step / Next Step / tick "Suhosin for PHP" and click "Save and Build" if u are sure you want to proceed. And then finish the build

You can veriffy that suhosin was installed by linux command: php -v
if not found, what about apache restart?


Then remove all disable_functions in PHP to to disable them later by Suhosin instead:

WHM / Service Configuration / PHP Configuration Editor/ select "Advanced".

Find: "disable_functions" and then cut & paste all these functions (example: show_source, system, passthru, exec, shell_exec, popen, proc_open, allow_url_fopen) to the safe place.

Save

Then disable functions you removed in previous steps by Suhosin:

Edit file "/usr/local/lib/php.ini" and add this line to it:

suhosin.executor.func.blacklist = "show_source, system, passthru, exec, shell_exec, popen, proc_open, allow_url_fopen"
(or any other functions that you want to Globally disable)

118

Then create/edit VirtualHost file for the domain of your customer (the customer who need the forbidden function allowed/enabled):

I'm going to use yourdomain.com for this example.

We're working from the /usr/local/apache/conf/userdata folder to start with. I'm assuming you don't want to set this up for SSL - if that's true then we'll navigate down into std, leaving us here:

/usr/local/apache/conf/userdata/std

Since you're running Apache 2.2.27 (command: httpd -v) you'll use the "2" folder, so we'll go here:

/usr/local/apache/conf/userdata/std/2

at this point you'd create a folder with the username for your domain. We'll say that cpanel username is "yourdom" and we'll navigate to that folder:

/usr/local/apache/conf/userdata/std/2/yourdom

Since domains can have multiple domains underneath them we'll need to specify that we're working with yourdomain.com, so we'll create that folder and navigate into it:

/usr/local/apache/conf/userdata/std/2/yourdom/yourdomain.com

At this point we need to create our .conf file named for example disabledfunctions.conf, so I created that (vi disabledfunctions.conf).

No add following code to that .conf file (in case you want to enable exec php function)


<VirtualHost 127.0.0.1>
<IfModule mod_php5.c>
php_admin_value suhosin.executor.func.blacklist = "exec"
</IfModule>
</VirtualHost>

Save file and at this point you should be able to restart the Apache service and it should work as you expect. (veriffy user domain that loads properly)

To veriffy your function is disabled for that cpanel user, create file in that user account (example: /home/username/www/exectest.php) with content:


<?php
if (function_exists('exec')) {
echo "Function is available/enabled for user";
} else {
echo "Function is unavailable/disabled for user";
}
?>

Run the file from users domain name and see what it return.