avoid customer to use his own php.ini

Discussion in 'ISPConfig 3 Priority Support' started by tritema, Aug 23, 2020.

  1. tritema

    tritema Member HowtoForge Supporter

    Dear,

    for a security related issue we really need to stop the ability to the customer to use his own php.ini (in order to avoid malicious use of open_basedir disabled).
    Someone know if it's possible to configure the php (installed following the perfect server setup) to avoid that?

    ty
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Set:

    user_ini.filename =

    in the global.php.ini and restart apache and php-fpm daemons.
     
  3. tritema

    tritema Member HowtoForge Supporter

    Sure but i think that this could be overridden by a malicious users.
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    No, how should he be able to do that? Only the Linux root user and the ISPConfig Administrator can overwrite that setting.
     
  5. tritema

    tritema Member HowtoForge Supporter

    Ok i'll try that way. I think that i need to modify also /var/www/conf/*/ php.ini file others that the global one. For the domain that has some custom spec on the ispconfig php configuration field.
     

Share This Page