Safe to disable some php functions?

Is it safe to disable the following php functions as they are major security holes and I don’t want to break webmin:

dl
exec
passthru
pfsockopen
popen
posix_kill
posix_mkfifo
posix_setuid
proc_close
proc_open
proc_terminate
shell_exec
system

It’s safe, as in, you won’t break Webmin or Virtualmin by disabling those, as they’re purely Perl-based.

What I can’t speak to is what PHP apps will break without those functions :slight_smile:

Any number of PHP apps could use those, you just may need to search through the PHP code and verify those functions aren’t in any apps you want to run (including those installed by Virtualmin’s Install Scripts).
-Eric

I would recommend tail -f /var/log/php.log if some applications behaves odd. IMHO better approach, than grep the source code;-)

Assuming you’re running everything under suexec (which we recommend), I don’t think I agree that any of these are “major security holes”.

How can I verify if those functions run under suexec?

Perhaps its a legacy of my Plesk days.

"those functions" is sort of nonsensical. Either you are running your applications under suexec, or you are not. There is no choosing what functions run under suexec.

Do you have SuexecUserGroup in your httpd.conf? And is PHP configured to run as either CGI or FastCGI (with wrappers owned by the user)? If both of those is true, then you are. If either of those is not true, then you aren’t (and, as far as I’m concerned no amount of fiddling with PHP configuration is going to make it secure in an environment with non-trusted users).

in php.ini the directive is "disabled functions= blah , blah. Fair to say then "those functions"; hardly nonsnesical.

I’ll check out your suggestions. Thanks

I mean it’s nonsensical to say “if those functions run under suexec”. Either PHP is or is not running under suexec–nothing in php.ini has any impact on whether it is running under suexec, including the disabled functions directive.