NixCP » Security » How to Disable custom user based php.ini files in cPanel

How to Disable custom user based php.ini files in cPanel

Posted by September 24, 2015 in Security

One of the biggest security issues in cPanel servers is to allow attackers to manipulate PHP settings by their own by placing php.ini files inside public_html directories.

If you enable suPHP to enforce your server security, you are on the right path. suPHP forces web process to run as the FTP user, and this is a huge advantage over DSO handler, however, on any default cPanel server even with suPHP enabled it will probably allow php.ini files manipulation by default, and that is a big security risk.

How can I disable custom user based php.ini from public_html directories?

If you have mod suPHP configured on your server you can configure your PHP server to use only the main PHP configuration file that is located at: /usr/local/lib/php.ini. Follow this steps:

Login as root via ssh, then edit the following file:

nano -w /opt/suphp/etc/suphp.conf

Search for [phprc_paths] and then uncomment (by removing the ; from the front of the line) this lines:

;application/x-httpd-php=/usr/local/lib/
;application/x-httpd-php4=/usr/local/php4/lib/
;application/x-httpd-php5=/usr/local/lib/

It should look like this:

application/x-httpd-php=/usr/local/lib/
application/x-httpd-php4=/usr/local/php4/lib/
application/x-httpd-php5=/usr/local/lib/

Save the file, and restart httpd to apply the changes:

service httpd restart

All done, now your attackers won’t be able to manipulate PHP from public_html directories.

If you ever need to set some custom php configurations for your users, you can do it directly by editing the file /usr/local/lib/php.ini and place user-based configurations at the end of the file, examples:

[PATH=/home/user1/public_html/]
display_startup_errors = off
display_errors = off
html_errors = off
docref_root = 0
docref_ext = 0

[PATH=/home/user2/public_html/]
display_errors = 0
magic_quotes = 0
magic_quotes_gpc = 0

[PATH=/home/user3/public_html/]
error_reporting = 30711

[PATH=/home/user4/public_html/]
max_input_vars = 9999

[PATH=/home/user5/public_html/]
date.timezone = "America/Montevideo"

After that, save the file and restart httpd:

service httpd restart

That’s all, at this point you should be able to protect your PHP server to add another layer of security against bad guys by disable custom user based php.ini files.

About the Author: Santiago Borges

Experienced Sr. Linux SysAdmin and Web Technologist, passionate about building tools, automating processes, fixing server issues, troubleshooting, securing and optimizing high traffic websites.

1 Comment

Leave a Reply

Your email address will not be published. Required fields are marked *