Some PHP functions can be used in malicious ways. They are, of course, not malicious per se, but can be used for malicious things. DirectAdmin provides a simple way to disable such PHP functions.
1. Log into your DirectAdmin server
2. Navigate to the custombuild directory:
cd /usr/local/directadmin/custombuild3. Execute the command:
./build secure_php[root@web ~]# cd /usr/local/directadmin/custombuild
[root@web custombuild]# ./build secure_php
PHP has been secured.
Restarting php-fpm74.
Restarting php-fpm80.
Restarting php-fpm70.
Restarting php-fpm72.This command will secure your PHP environment. Besides the disable_functions directive, it will also add:
mysqli.allow_local_infile = Off
expose_php = Off
register_globals = OffThe list of the PHP functions that are added to the disable_functions directive are:
exec,system,passthru,shell_exec,proc_close,proc_open,dl,popen,show_source,posix_kill,posix_mkfifo,posix_getpwuid,posix_setpgid,posix_setsid,posix_setuid,posix_setgid,posix_seteuid,posix_setegid,posix_uname
To verify the addition after running the above commands, use:
grep disable_functions /usr/local/php*/lib/php.ini
What happens if you want to add more functions to the list? Do not add them to the php.ini files, as these files are overwritten by DirectAdmin. Instead, add them to the /usr/local/directadmin/custombuild/custom/php_disable_functions file. Here is a list of the php functions you can add to that file:
proc_close,proc_open,proc_get_status,php_uname,exec,system,phpinfo,shell_exec,passthru,symlink,readlink,show_source,popen, disk_free_space,disk_total_space,diskfreespace, apache_child_terminate,apache_get_modules,apache_note,apache_setenv,posixc,proc_nice,proc_terminate,ps_aux,dl,posix_kill,posix_mkfifo,posix_setpgid, posix_setsid, posix_setuid, posix_getpwuid,posix_uname,pcntl_exec, pcntl_fork,pcntl_signal, pcntl_waitpid,pcntl_wexitstatus,pcntl_wifexited,pcntl_wifsignaled, pcntl_wifstopped, pcntl_wstopsig,pcntl_wtermsig,pcntl_alarm,pcntl_wait,syslog,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask, pcntl_sigwaitinfo,pcntl_sigtimedwait, pcntl_getpriority,pcntl_setpriorityDon’t forget to run the commands:
cd /usr/local/directadmin/custombuild
./build secure_php