Check server security bug in directadmin
Posted: 14 Nov 2014, 19:31
Hello,
When I install php-fpm or suphp or fastcgi in diretctadmin and check server security in CSF firewall I get this:
Check php for enable_dl or disabled dl() You should modify /usr/local/lib/php.ini and set:
enable_dl = Off
This prevents users from loading php modules that affect everyone on the server. Note that if use dynamic libraries, such as ioncube, you will have to load them directly in the PHP configuration (usually in /usr/local/lib/php.ini)
and
Check php for disable_functions You should modify the PHP configuration and disable commonly abused php functions, e.g.:
disable_functions = show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open, allow_url_fopen
Some client web scripts may break with some of these functions disabled, so you may have to remove them from this list
Check php for ini_set disabled You should consider adding ini_set to the disable_functions in the PHP configuration as this setting allows PHP scripts to override global security and performance settings for PHP scripts. Adding ini_set can break PHP scripts and commenting out any use of ini_set in such scripts is advised
I think I need a opition for change php.ini URL in csf.
I install php 5.4 fpm and my php.ini url is:
/usr/local/php54/lib/php.ini
Thank you
When I install php-fpm or suphp or fastcgi in diretctadmin and check server security in CSF firewall I get this:
Check php for enable_dl or disabled dl() You should modify /usr/local/lib/php.ini and set:
enable_dl = Off
This prevents users from loading php modules that affect everyone on the server. Note that if use dynamic libraries, such as ioncube, you will have to load them directly in the PHP configuration (usually in /usr/local/lib/php.ini)
and
Check php for disable_functions You should modify the PHP configuration and disable commonly abused php functions, e.g.:
disable_functions = show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open, allow_url_fopen
Some client web scripts may break with some of these functions disabled, so you may have to remove them from this list
Check php for ini_set disabled You should consider adding ini_set to the disable_functions in the PHP configuration as this setting allows PHP scripts to override global security and performance settings for PHP scripts. Adding ini_set can break PHP scripts and commenting out any use of ini_set in such scripts is advised
I think I need a opition for change php.ini URL in csf.
I install php 5.4 fpm and my php.ini url is:
/usr/local/php54/lib/php.ini
Thank you