• We value your experience with Plesk during 2025
    Plesk strives to perform even better in 2026. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2025.
    Please take this short survey:
    https://survey.webpros.com/

Disable shell command from PHP for all domains?

J

j Zim

Guest
It seems that a customer was able to upload a php file into the /tmp directory and then call a sh command (php <name of its file.php>) to execute the script.

At the moment I have no idea from what domain this is done but as a quick fix I would like to disable the possibility to execute sh/shell command for all my customers using PHP script.

Is that possible changing the php5.ini file (disable_functions) or doing it this way I'll have some trouble with Plesk or other admin script (like phpmyadmin, etc.)?

Thanks in advance for your help.
JZ
 
No that should be fine - plesk uses its own php.ini file for its own web processes, so it should be safe to turn it off.

This is what I use in my disable functions

disable_functions = dl , exec , passthru , pcntl_exec , popen , posix_kill , posix_mkfifo , posix_setuid , proc_close , proc_open , proc_terminate , shell_exec , system , ftp_exec , leak , posix_setpgid , posix_setsid , proc_get_status , proc_nice , show_source , escapeshellcmd

Also its a good idea to set these
expose_php = off
enable_dl = Off
allow_url_include = off
 
Hi Amin, thanks for your reply, I've added this config but I got a call from a customer using webmail (horde) and he was not able to send email anymore (error with sendmail which is using popen). So I remove popen from the "disable_functions" config, do you think it's ok this way?
Cheers,
JZ
 
Should be ok yeah - I dont use webmail on the same server as plesk runs as so I have mine disabled - you may also want to think about using safe_mode (if your using an older than 5.3 version of php) and open base dir restrictions as well if your not already.
 
You must log in or register to reply here.

Similar threads

T
Question Plesk 18.0.70 Bypass the default PHP performance settings
Replies
17
Views
3K
HHawk
HHawk
T
Resolved PHP-FPM Opcache bug - warning repeatedly thrown and logged in error log
Replies
12
Views
5K
Sebahat.hadzhi
Sebahat.hadzhi
Bitpalast
Restore of customers/subscriptions/domains/databases fails if the customer or the subscription was disabled during backup
Replies
5
Views
3K
Sebahat.hadzhi
Sebahat.hadzhi
H
Resolved Laravel app "502 Bad Gateway" on page reload only
Replies
2
Views
2K
halnex
H
K
Issue Planified Task not working anymore after upgrading Debian/updating Plesk
Replies
9
Views
1K
Kouenteen
K
Back
Top