Hi all, this is my first post in this forum.

I've a problem that i couldn't solve and i don't know if there's a way to solve it.

In my php.ini i've a list of disabled function as the one shown above

disable_functions = system, proc_open, proc_close, popen, passthru, shell_exec, dl, show_source, highlight_file, pcntl_exec

this works fine for me, but i've a problem with the webmail of my servers, because the function exec must be disabled to let the webmail (squirrelmail) works.

So my question is... is it possibile to enable a function only for a particular virtual host? or let all all the function anabled for a particular directory?

I encountered the same problem recently. The only solution I've found is to use the (very useful, in my opinion) "Suhosin" security extension (http://www.hardened-php.net/suhosin/index.html) for PHP, and set its suhosin.executor.func.blacklist parameter in php.ini, instead of using PHP's disable_functions directive. I have mine set to the following, which I believe covers a lot of the more "dangerous" functions but is by no means exhaustive (I also have dl() disabled with "enable_dl = Off" in php.ini):

suhosin.executor.func.blacklist = apache_note,apache_setenv,closelog,debugger_off,debugger_on,define_syslog_variables,escapeshellarg,escapeshellcmd,exec,ini_restore,openlog,passthru,pclose,pcntl_exec,popen,proc_close,proc_get_status,proc_nice,proc_open,proc_terminate,shell_exec,syslog,system,url_exec

This can then be set on a per-virtualhost or per-directory basis, which I did by logging into DA as admin, and under Custom HTTPD Configurations, adding the following to the relevant domain:

# Omit the <Directory>...</Directory> section to apply settings globally in the VirtualHost. I usually copy my settings for the blacklist from php.ini, and then remove any needed functions from it when pasting here, thus permitting them.

<Directory /home/user/domains/example.com/public_html/safe-php-scripts>
php_admin_value suhosin.executor.func.blacklist list-of-functions-to-disable
</Directory>

Suhosin also provides a whitelist option, if you feel like working out which functions your PHP code uses... I know I don't. :D

You can also allow exec to be used and install a patch into php called exec_dir (http://kyberdigi.cz/projects/execdir/english.html), its like the safe_mode_exec_dir only that it works without safe mode being on. You just define what directory you want to allow people to exec from and symlink or copy the files into there that people are allowed to use. This stops them from using things like wget or sh of harmful scripts and allows things like imagemagick to work.

This are very good solutions, but i've to use on a production server, and i couldn't recompile the php system.

At this point i think there's no solution for my problem without recompiling php with some patch.

Suhosin is also available for use as an extension, which means you do not need to recompile PHP to make it work. I installed it on my DA installation last night and it plays nicely with all the PHP scripts that I use on that machine.

Installing it . . . or learning how to deal with PHP security will become more important as March is intended to be the month in which a daily PHP bug is released.

Yes i've seen some days ago that it's installable as an extension. As soon as i've a little time i'll test it, tnx a lot for the support

OK i've installed as an extension, it works perfectly, now i'll try to configure some parameter to aument the quantitiy of logging.

Tnx a lot for suggestions

I've disable a lot of functions on all the directory except one, enebled those again with something like this

<Directory /usr/share/squirrelmail>
Options None
AllowOverride None
Order allow,deny
Allow from all
php_admin_value suhosin.executor.func.blacklist " "
</Directory>

In this way in the directory /usr/share/squirrelmail i can execute all the code i want even if in the php.ini i've disable a lot of function like

suhosin.executor.func.blacklist = system, exec, proc_open, proc_close, popen, passthru, shell_exec, dl, show_source, highlight_file, pcntl_exec, ......

Tnx a lot again to all has helped me solve this problem ;)