问题
i using nginx and php-fpm as default webserver without apache. So, for best security each host have own php-fpm pool.
I am have a problem with shell_exec again - i no want to turn on for all users, but i need use this function for some host (1 or 3 hosts, no more).
shell_exec is turned off in php.ini. I try to enable shell_exec in site php-fpm pool, but it's not working:
php_admin_value[shell_exec] = on
回答1:
Something else to consider is to disable the disable_function in the primary php.ini file.
Then set the disable_function for each FPM Pool: (For example)
php_admin_value[disable_functions] = exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source
If you have a specific FPM Pool which you need to use one or more of those functions, just remove it from that pools configuration.
回答2:
You can create a whitelist IP hosts as this :
$whitelist = array('127.0.0.1', '192.168.0.1', 'whateverIPyouAuth');
if(in_array($_SERVER['REMOTE_ADDR'], $whitelist)){
//shell_exec call here
}
回答3:
You can do this by suhosin.executor.func.blacklist
1)Comment disable_function in php.ini
2)below add this line (List all functions to be blacklisted.Same as disable_function)
suhosin.executor.func.blacklist = exec, passthru, shell_exec, system, proc_open, popen, apache_child_terminate, apache_setenv, define_syslog_variables,
pcntl_exec, openlog, posix_getpwuid, posix_kill, posix_setpgid, posix_setsid, posix_setuid, posix_setuid, posix_uname,
proc_close, proc_get_status, proc_open, proc_terminate, syslog, curl_exec, curl_multi_exec, php_uname, phpinfo
3)Within the virtual host section using the line:
php_admin_value suhosin.executor.func.blacklist ".."
So you can redefine the black listed functions for that particular virtual host.
In your case all functions except shell_exec.
It will be php_admin_value suhosin.executor.func.blacklist "passthru, shell_exec, system, proc_open, popen, apache_child_terminate, apache_setenv, define_syslog_variables,
pcntl_exec, openlog, posix_getpwuid, posix_kill, posix_setpgid, posix_setsid, posix_setuid, posix_setuid, posix_uname,
proc_close, proc_get_status, proc_open, proc_terminate, syslog, curl_exec, curl_multi_exec, php_uname, phpinfo"
Reference
来源:https://stackoverflow.com/questions/22173218/turn-on-shell-exec-only-for-some-hosts