Announcement

Collapse
No announcement yet.

PHP security question: disable_funcitons in php.ini

Collapse
This topic is closed.
X
X
Collapse
 
  • Page of 1
  • Filter
  • Time
  • Show
Clear All
new posts
Previous template Next
    #1

    PHP security question: disable_funcitons in php.ini

    I have been trying to think this through logically but I feel like I need a bit of help.

    There's a tool called drush (drupal shell) that I would like to run on my server for quickly backing up everything on my site.

    When I run drush, freshly installed from the repos with no changes to php defaults, I get this error:

    Code:
    sam@samhobbs:~$ sudo drush
The following restricted PHP modes have non-empty values:            [error]
disable_functions. This configuration is incompatible with drush. 
Please check your configuration settings in /etc/php5/cli/php.ini or
in your drush.ini file; see examples/example.drush.ini for details.
    If I comment out this line in /etc/php5/cli/php.ini...

    Code:
    disable_functions = pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,
    ...then drush runs properly.

    My question is, am I doing something stupid by disabling the php CLI disable_functions?

    My understanding is that other PHP programs use a different .ini file so this does not affect them. No other users have CLI access to the server, so I guess not, right? If someone manages to log in as me then they could change the contents of the PHP configuration file anyway, so I'd have bigger things to worry about.

    Feathers
    samhobbs.co.uk
    Tags: cli, drush, php, php.ini
    • Top
    • Bottom
    #2
    Since that's presumably your cli php.ini (and not your webserver php.ini) there shouldn't be huge security concerns, although drush should be able to use it's own ini file instead of the system wide config. See http://drush.ws/examples/example.drush.ini
    • Top
    • Bottom

    Comment

      #3
      Thanks for that Kubicle.

      The problem I had when researching is that I found most people were using hosting services and they hadn't installed using apt-get, instead just unpacking the drush archive into their home folder.

      I was under the impression that you could only use a drush.ini file if you were using the standalone version of drush. Seems like if I just create the file in my home directory (~/.drush/drush.ini) I will able to run the command and it will override those values.

      Drush is really cool BTW: here's an example of it backing up my whole site (database, files and all):

      Code:
      sam@samhobbs:/var/www/samhobbs$ sudo drush archive-dump default --destination=/media/backups/website/mysite.tar
 Drupal version                  :  7.26                  
 Site URI                        :  default               
 Database driver                 :  mysql                 
 Database hostname               :  localhost             
 Database username               :  drupal                
 Database name                   :  drupal                
 Database                        :  Connected             
 Drupal bootstrap                :  Successful            
 Drupal user                     :  Anonymous             
 Default theme                   :  bartik                
 Administration theme            :  seven                 
 PHP configuration               :  /etc/php5/cli/php.ini 
 Drush version                   :  5.9                   
 Drush configuration             :                        
 Drupal root                     :  /var/www/samhobbs     
 Site path                       :  sites/default         
 File directory path             :  sites/default/files   
 Temporary file directory path   :  /tmp                  

Archive saved to /media/backups/website/mysite.tar                                [ok]
      ...which produced a 15MiB backup file.

      I guess if I want to back up my site without being root I'll have to give my user read access to all databases on the server too so drush can pull all of that info.

      Feathers
      samhobbs.co.uk
      • Top
      • Bottom

      Comment

        #4
        Hmm unfortunately it doesn't seem to be working, drush reads the drush.ini file but doesn't override the /etc/php5/cli/php.ini file:

        Code:
        sam@samhobbs:~/.drush$ sudo drush status
The following restricted PHP modes have non-empty values:            [error]
disable_functions. This configuration is incompatible with drush. 
Please check your configuration settings in /etc/php5/cli/php.ini or
in your drush.ini file; see examples/example.drush.ini for details.
 PHP configuration     :  /etc/php5/cli/php.ini /home/sam/.drush/drush.ini 
 Drush version         :  5.9                                              
 Drush configuration   :                                                   

sam@samhobbs:~/.drush$ drush status
The following restricted PHP modes have non-empty values:            [error]
disable_functions. This configuration is incompatible with drush. 
Please check your configuration settings in /etc/php5/cli/php.ini or
in your drush.ini file; see examples/example.drush.ini for details.
 PHP configuration     :  /etc/php5/cli/php.ini /home/sam/.drush/drush.ini 
 Drush version         :  5.9                                              
 Drush configuration   :
        This is with the example file you linked copied to ~/.drush/drush.ini and the "disable_functions =" line uncommented, which I thought would override the global default, but apparently not. Perhaps it tries to append the new values (i.e. nothing) to the global list?

        Feathers
        samhobbs.co.uk
        • Top
        • Bottom

        Comment

          #5
          Originally posted by Feathers McGraw View Post
          which I thought would override the global default
          Likewise.

          What does
          Code:
          sudo "env DRUSH_INI='/home/sam/.drush/drush.ini' drush status"
          report?
          • Top
          • Bottom

          Comment

            #6
            Code:
            sam@samhobbs:/var/www/samhobbs$ sudo "env DRUSH_INI='/home/sam/.drush/drush.ini' drush status"
usage: sudo [-D level] -h | -K | -k | -V
usage: sudo -v [-AknS] [-D level] [-g groupname|#gid] [-p prompt] [-u user name|#uid]
usage: sudo -l[l] [-AknS] [-D level] [-g groupname|#gid] [-p prompt] [-U user name] [-u user
            name|#uid] [-g groupname|#gid] [command]
usage: sudo [-AbEHknPS] [-r role] [-t type] [-C fd] [-D level] [-g groupname|#gid] [-p
            prompt] [-u user name|#uid] [-g groupname|#gid] [VAR=value] [-i|-s] [<command>]
usage: sudo -e [-AknS] [-r role] [-t type] [-C fd] [-D level] [-g groupname|#gid] [-p
            prompt] [-u user name|#uid] file ...
            I have also tried creating ~/.drush/php.ini with the same contents as the CLI php.ini apart from "disable_functions= " with no options set, but that didn't work either:

            Code:
            sam@samhobbs:~/.drush$ sudo nano php.ini
sam@samhobbs:~/.drush$ drush status
The following restricted PHP modes have non-empty values:            [error]
disable_functions. This configuration is incompatible with drush. 
Please check your configuration settings in /etc/php5/cli/php.ini or
in your drush.ini file; see examples/example.drush.ini for details.
 PHP configuration     :  /etc/php5/cli/php.ini /home/sam/.drush/php.ini 
                          /home/sam/.drush/drush.ini                     
 Drush version         :  5.9                                            
 Drush configuration   :
            Perhaps there's a global PHP setting that is stopping me from overriding the global .ini with my own...
            samhobbs.co.uk
            • Top
            • Bottom

            Comment

              #7
              Sorry, bad quoting, try:
              Code:
              sudo env DRUSH_INI='/home/sam/.drush/drush.ini' drush status
              Perhaps there's a global PHP setting that is stopping me from overriding the global .ini with my own
              You could try the drupal forums
              • Top
              • Bottom

              Comment

                #8
                Code:
                sam@samhobbs:/var/www/samhobbs$ sudo env DRUSH_INI='/home/sam/.drush/drush.ini' drush status
The following restricted PHP modes have non-empty values:            [error]
disable_functions. This configuration is incompatible with drush. 
Please check your configuration settings in /etc/php5/cli/php.ini or
in your drush.ini file; see examples/example.drush.ini for details.
 Drupal version                  :  7.26                                             
 Site URI                        :  http://default                                   
 Database driver                 :  mysql                                            
 Database hostname               :  localhost                                        
 Database username               :  drupal                                           
 Database name                   :  drupal                                           
 Database                        :  Connected                                        
 Drupal bootstrap                :  Successful                                       
 Drupal user                     :  Anonymous                                        
 Default theme                   :  bartik                                           
 Administration theme            :  seven                                            
 PHP configuration               :  /etc/php5/cli/php.ini /home/sam/.drush/drush.ini 
 Drush version                   :  5.9                                              
 Drush configuration             :                                                   
 Drupal root                     :  /var/www/samhobbs                                
 Site path                       :  sites/default                                    
 File directory path             :  sites/default/files                              
 Temporary file directory path   :  /tmp
                No dice...

                Thanks for your help so far!
                samhobbs.co.uk
                • Top
                • Bottom

                Comment

                  #9
                  Seems weird to me (I don't actually use drush so I can't really tell if this is normal behavior or not, but judging by the documentation you should be able to override settings with drush.ini).
                  I'm quickly running out of ideas, but here's a few last straws:
                  1. is there any change in the behavior if you save the drush.ini as /etc/drush/drush.ini
                  2. is the drush executable a script or binary (if it's a script you could examine it with a text editor to see if there are any clues of how it reads the various ini files)
                  • Top
                  • Bottom

                  Comment

                  Previous template Next
                  Working...
                  X