Restrict who can use php.ini SuPHP

Posted by cikul | Posted in cpanel, Linux | Posted on 09-07-2012-05-2008


There are several methods that can be used to disallow users to have their own php.ini files under suPHP. The path you take will depend on whether you want to allow users to have their own in some circumstances or to restrict all accounts on the server to the global php.ini file at /usr/local/lib/php.ini location.

Restrict all accounts to the global php.ini file

To restrict all accounts to the global php.ini file, you would edit the /opt/suphp/etc/suphp.conf file:

;Uncommenting these will force all requests to that handler to use the php.ini
;in the specified directory regardless of suPHP_ConfigPath settings.

to this :

;Uncommenting these will force all requests to that handler to use the php.ini
;in the specified directory regardless of suPHP_ConfigPath settings.

Save the file, then restart Apache for good measure. Now, if any account tries to put suPHP_ConfigPath into their .htaccess file, that account will return an Internal Server Error until they remove the .htaccess line. No account will be able to use another php.ini file with this as the default unless you allow the account in the php.ini file itself.

If you have PHP 5.3+ and want to allow some accounts to have their own php.ini file

If you have restricted all accounts globally to the /usr/local/lib/php.ini file and want to have one or more accounts bypass the restriction, this is possible under PHP 5.3 using the global php.ini itself.

Method One: Allowing individual user_ini files

In /usr/local/lib/php.ini file, put the following line:

user_ini.filename = .my.ini

The .my.ini name can be anything. Save the file, then go to the account you want to allow their own settings and create .my.ini on the account (it can be anywhere on the account so /home/username/public_html/.my.ini)

In the .my.ini file, you would be able to put only the changes you want to have such as register_globals = On for that account. Of note, only the PHP_INI_PERDIR and PHP_INI_USER directives are allowed in this file. Any PHP_INI_SYSTEM directives will not be changeable there.

Method Two: Putting individual user settings into the global php.ini file

This is the better method in my opinion. At the bottom of /usr/local/lib/php.ini file, you can actually define individual user php.ini directives with the path to that user’s application:


Here is an example putting that at the bottom of /usr/local/lib/php.ini for an account. If you try doing this in PHP 5.2, it will change the global value to the new ones rather than just that user’s as PHP 5.2 doesn’t support the path directive. Only PHP 5.3 will work properly to read the path to the user’s application. Under this method, even PHP_INI_SYSTEM directives are changeable for that account.

Under Method One for the user_ini file, the user does have the ability to themselves modify directives in their .my.ini file on the account. Under Method Two for the global php.ini user path directives, only the administrator of the machine could modify the directives. Of note, anyone can create their own user_ini file under Method One, but they would need to know the name in the global php.ini to do so (since you can call the file anything, so it could be called .guessme.ini instead and users aren’t then likely to know the name to bypass restrictions).

Source :

Incoming search terms:

pata disk | hard disk pata | pata harddisk | harddisk sata | sata and pata hard disk | sata vs ide hard drive | 

Share and Enjoy

Write a comment