Various disable function_warnings, why?

Black Tiger

Member
I've read over the forums and I'm about to buy my Xenforo, however, I'm not really comfortable with this:

1. Your server has disabled a core PHP function exec via the disable_functions directive in php.ini. This may cause unexpected problems in XenForo.
2. Your server has disabled a core PHP function escapeshellarg via the disable_functions directive in php.ini. This may cause unexpected problems in XenForo.
3. Your server has disabled a core PHP function proc_open via the disable_functions directive in php.ini. This may cause unexpected problems in XenForo.
4. Your server has disabled a core PHP function popen via the disable_functions directive in php.ini. This may cause unexpected problems in XenForo.
Obviously this is done for security reasons and I'm not eager to change any of these, because I'm running IPB now and this does not complaint about these settings neither did my SMF software.

I also read somewhere that proc_open is used for the php mail function, which strikes me as odd because I can use that function on other forum software without the need of the proc_open being enabled. And we also have some Wordpress installations from customers using the php mail function.
So if it's required for Xenforo, is there not a safer way to use php mail in XF? I'm no programmer so I wouldn't know, I just compare what I see.

My second question is, if any of these is required for the newest Xenforo versions. I will be using smtp mail anyway, but since a lot of new things have been added in XF, just like to know if they are still warnings which can be ignored, or that there are requirements so one of these which are required to be set otherwise.
 

Black Tiger

Member
There is no reason to disable those for "security reasons".
Proc_open is not a big issue anymore when using mod_ruid2 or php-fpm.
I don't know why you would think that exec wouldn't be a potential security risk on a shared hosting environment where hackers abuse leak theme's (for example from Wordpress) to get there php files online. At least this way they can't use exec code in there (and no shell_exec either since it's disabled too). So I wonder why you are making a riskfull and untrue statement, compared to what is to be read on the internet. And is also considered basic system security on shared servers amongst hosters.

However, your answer did not answer my questions.

@Ozzy47 Thank you, that's what I wanted to know.

exec is required for XFMG and FFmpeg integration.
Is that an for a certain addon? Or for youtube bbcode? We never needed that for youtube link displays before.
 

Ralle

Active member
I agree. On shared hosting you definitely don’t want these enabled. But you might not have access to ffmpeg on there either regardless.

Shell functions can bypass PHP’s open_basedir and IF a hacker somehow finds a bug in the impeccable and really well written XF source code, they can do more damage with access to shell functions than without.

I think you should get XF anyway. If your shared hosting does not work well for you get a VPS. From my perspective I would sooner replace my hardware than move away from XF. It’s just that good.
 

Mike

XenForo developer
Staff member
If the server is compromised and an attacker can execute arbitrary code, then you're usually in a rough situation, regardless of whether specific PHP functions have been disabled. I certainly wouldn't trust disable_functions as security in a shared host as there are several documented ways around it. (And PHP doesn't actually consider disable_function bypasses to be part of their security policy because they aren't remotely exploitable, from comments I've found.)

(As you mentioned, controlling PHP's execution at the OS-level is generally a better approach.)

Sending mail by default uses sendmail directly, which is actually what mail() does internally, but it calls it directly which allows for much more consistent control and debugging. This is actually part of Swiftmailer's implementation and it's what's using proc_open. It's not used if you use SMTP, as mentioned, though that's not to say that we might not create other features in the future that use this, for example.

These disabled functions are really just considered warnings because they tend to apply to specific areas only and often have alternatives that may work (eg, SMTP). But they may cause errors if the features you want ultimately require them.

Is that an for a certain addon? Or for youtube bbcode? We never needed that for youtube link displays before.
It's for the Media Gallery add-on, related to video uploading primarily. It isn't used for YT embeds or anything like that.
 

Black Tiger

Member
Ofcouse I agree that it should not be the only thing to rely on, but that it's a package. I already experienced hackers being able to put files on the server through leaks in themes or addons from Wordpress, but that was limited to that account. Because of the combination of security measures taken, amongst which are the disabled functions, secured /tmp directory and some more.

as there are several documented ways around it.
Which have to be looked up and mostly aren't used by scriptkiddies testing stuff.
So imho it's indeed not "everything" about security, but the disabled_functions do add up to the security measures on a shared hosting environment.

If you state that it's only needed for the Media Gallery and php mail, then I'm satisfied and just can leave them closed. That's all I wanted to know. Thank you for your insight and explanation Mike!

I think you should get XF anyway. If your shared hosting does not work well for you get a VPS. From my perspective I would sooner replace my hardware than move away from XF. It’s just that good.
Which is the reason that I'm going to change to XF. However, Gallery on the competition does not need these things to be opened, so that's why I wondered about this.

Anyway, I got my answer, it does not interfear with good use, Youtube embedding, and Resources, so fine with me.

Thank you for the answers everbody!
 
Top