One of the biggest security issues in cPanel servers is to allow attackers to manipulate PHP settings by their own by placing php.ini files inside public_html directories.
If you enable suPHP to enforce your server security, you are on the right path. suPHP forces web process to run as the FTP user, and this is a huge advantage over DSO handler, however, on any default cPanel server even with suPHP enabled it will probably allow php.ini files manipulation by default, and that is a big security risk.
How can I disable custom user based php.ini from public_html directories?
If you have mod suPHP configured on your server you can configure your PHP server to use only the main PHP configuration file that is located at: /usr/local/lib/php.ini. Follow this steps:
Login as root via ssh, then edit the following file:
nano -w /opt/suphp/etc/suphp.conf
Search for [phprc_paths] and then uncomment (by removing the ; from the front of the line) this lines:
;application/x-httpd-php=/usr/local/lib/ ;application/x-httpd-php4=/usr/local/php4/lib/ ;application/x-httpd-php5=/usr/local/lib/
It should look like this:
application/x-httpd-php=/usr/local/lib/ application/x-httpd-php4=/usr/local/php4/lib/ application/x-httpd-php5=/usr/local/lib/
Save the file, and restart httpd to apply the changes:
service httpd restart
All done, now your attackers won’t be able to manipulate PHP from public_html directories.
If you ever need to set some custom php configurations for your users, you can do it directly by editing the file /usr/local/lib/php.ini and place user-based configurations at the end of the file, examples:
[PATH=/home/user1/public_html/] display_startup_errors = off display_errors = off html_errors = off docref_root = 0 docref_ext = 0 [PATH=/home/user2/public_html/] display_errors = 0 magic_quotes = 0 magic_quotes_gpc = 0 [PATH=/home/user3/public_html/] error_reporting = 30711 [PATH=/home/user4/public_html/] max_input_vars = 9999 [PATH=/home/user5/public_html/] date.timezone = "America/Montevideo"
After that, save the file and restart httpd:
service httpd restart
That’s all, at this point you should be able to protect your PHP server to add another layer of security against bad guys by disable custom user based php.ini files.
Okay, nice, but what to do if php is fcgi?