How to customize PHP disable_functions in DirectAdmin

The directive “disable_functions” allows to disable certain functions. It takes on a comma-delimited list of function names. 

disable_functions

DirectAdmin uses the directive for security purposes, and here is a way how to customise it. We need to create a file /usr/local/directadmin/custombuild/custom/php_disable_functions with our own list of functions.

Let’s say we want to allow proc_close, proc_open server-wide in DirectAdmin in PHP.

cd /usr/local/directadmin/custombuild
touch custom/php_disable_functions

A default list includes the following PHP functions:

exec, system, passthru, shell_exec, proc_close, proc_open, dl, popen, show_source, posix_kill, posix_mkfifo, posix_getpwuid, posix_setpgid, posix_setsid, posix_setuid, posix_setgid, posix_seteuid, posix_setegid, posix_uname

Our custom list will look like the following (it excludes proc_close, proc_open):

exec, system, passthru, shell_exec, dl, popen, show_source, posix_kill, posix_mkfifo, posix_getpwuid, posix_setpgid, posix_setsid, posix_setuid, posix_setgid, posix_seteuid, posix_setegid, posix_uname

For this we run:

cd /usr/local/directadmin/custombuild
echo "exec,system,passthru,shell_exec,dl,popen,show_source,posix_kill,posix_mkfifo,posix_getpwuid,posix_setpgid,posix_setsid,posix_setuid,posix_setgid,posix_seteuid,posix_setegid,posix_uname" > custom/php_disable_functions

and then update configs:

./build set secure_php yes
./build secure_php

After the process completes we need to check results it with:

php -i | grep ^disable_functions

It’s expected to see the modified list of disabled functions without proc_closeproc_open, i.e. the excluded functions are now allowed.



Easysoftonic