LEMP: disabling PHP functions

Let’s consider typical LEMP stack:

  • Linux
  • nginx
  • php-fpm
  • MySQL server

For security reasons you might want to disable some dangerous functions like exec or system.  As you may know, you can do this by adding list of function to disable_functions parameter in your php.ini. At the same time php-fpm allows to limit PHP parameters per pool. So, we go to our pool config (for instance, /etc/php-fpm.d/production.conf) and try to add:

php_admin_value[disable_functions] = dl,exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source

And here you can find out that it doesn’t work if you have suhosin installed. To solve this issue use  suhosin.executor.func.blacklist in suhosin config file (which should be in /etc/php.d/suhosin.ini on Fedora/Centos).

suhosin.executor.func.blacklist = "dl,exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source"

Actually, if you add this list to your php.ini it will work too, but for all PHP pools.