Various disable function_warnings, why?

[Black Tiger]

I've read over the forums and I'm about to buy my Xenforo, however, I'm not really comfortable with this:

1. Your server has disabled a core PHP function exec via the disable_functions directive in php.ini. This may cause unexpected problems in XenForo.
2. Your server has disabled a core PHP function escapeshellarg via the disable_functions directive in php.ini. This may cause unexpected problems in XenForo.
3. Your server has disabled a core PHP function proc_open via the disable_functions directive in php.ini. This may cause unexpected problems in XenForo.
4. Your server has disabled a core PHP function popen via the disable_functions directive in php.ini. This may cause unexpected problems in XenForo.

Obviously this is done for security reasons and I'm not eager to change any of these, because I'm running IPB now and this does not complaint about these settings neither did my SMF software.

I also read somewhere that proc_open is used for the php mail function, which strikes me as odd because I can use that function on other forum software without the need of the proc_open being enabled. And we also have some Wordpress installations from customers using the php mail function.
So if it's required for Xenforo, is there not a safer way to use php mail in XF? I'm no programmer so I wouldn't know, I just compare what I see.

My second question is, if any of these is required for the newest Xenforo versions. I will be using smtp mail anyway, but since a lot of new things have been added in XF, just like to know if they are still warnings which can be ignored, or that there are requirements so one of these which are required to be set otherwise.

 

[Paul B]

There is no reason to disable those for "security reasons".

 

[Ozzy47]

exec is required for XFMG and FFmpeg integration.

I believe escapeshellarg is required for email function.

proc_open and popen are required for email delivery when using the built in PHP option - they are not required if using SMTP.

 

[Black Tiger]

There is no reason to disable those for "security reasons".

Proc_open is not a big issue anymore when using mod_ruid2 or php-fpm.
I don't know why you would think that exec wouldn't be a potential security risk on a shared hosting environment where hackers abuse leak theme's (for example from Wordpress) to get there php files online. At least this way they can't use exec code in there (and no shell_exec either since it's disabled too). So I wonder why you are making a riskfull and untrue statement, compared to what is to be read on the internet. And is also considered basic system security on shared servers amongst hosters.

However, your answer did not answer my questions.

@Ozzy47 Thank you, that's what I wanted to know.

exec is required for XFMG and FFmpeg integration.

Is that an for a certain addon? Or for youtube bbcode? We never needed that for youtube link displays before.

 

[Rasmus Vind]

I agree. On shared hosting you definitely don’t want these enabled. But you might not have access to ffmpeg on there either regardless.

Shell functions can bypass PHP’s open_basedir and IF a hacker somehow finds a bug in the impeccable and really well written XF source code, they can do more damage with access to shell functions than without.

I think you should get XF anyway. If your shared hosting does not work well for you get a VPS. From my perspective I would sooner replace my hardware than move away from XF. It’s just that good.

 

[Mike]

If the server is compromised and an attacker can execute arbitrary code, then you're usually in a rough situation, regardless of whether specific PHP functions have been disabled. I certainly wouldn't trust disable_functions as security in a shared host as there are several documented ways around it. (And PHP doesn't actually consider disable_function bypasses to be part of their security policy because they aren't remotely exploitable, from comments I've found.)

(As you mentioned, controlling PHP's execution at the OS-level is generally a better approach.)

Sending mail by default uses sendmail directly, which is actually what mail() does internally, but it calls it directly which allows for much more consistent control and debugging. This is actually part of Swiftmailer's implementation and it's what's using proc_open. It's not used if you use SMTP, as mentioned, though that's not to say that we might not create other features in the future that use this, for example.

These disabled functions are really just considered warnings because they tend to apply to specific areas only and often have alternatives that may work (eg, SMTP). But they may cause errors if the features you want ultimately require them.

Is that an for a certain addon? Or for youtube bbcode? We never needed that for youtube link displays before.

It's for the Media Gallery add-on, related to video uploading primarily. It isn't used for YT embeds or anything like that.

 

[Black Tiger]

Ofcouse I agree that it should not be the only thing to rely on, but that it's a package. I already experienced hackers being able to put files on the server through leaks in themes or addons from Wordpress, but that was limited to that account. Because of the combination of security measures taken, amongst which are the disabled functions, secured /tmp directory and some more.

as there are several documented ways around it.

Which have to be looked up and mostly aren't used by scriptkiddies testing stuff.
So imho it's indeed not "everything" about security, but the disabled_functions do add up to the security measures on a shared hosting environment.

If you state that it's only needed for the Media Gallery and php mail, then I'm satisfied and just can leave them closed. That's all I wanted to know. Thank you for your insight and explanation Mike!

I think you should get XF anyway. If your shared hosting does not work well for you get a VPS. From my perspective I would sooner replace my hardware than move away from XF. It’s just that good.

Which is the reason that I'm going to change to XF. However, Gallery on the competition does not need these things to be opened, so that's why I wondered about this.

Anyway, I got my answer, it does not interfear with good use, Youtube embedding, and Resources, so fine with me.

Thank you for the answers everbody!

 

[briansol]

php fpm ships this way via cpanel. if you are running cpanel, you can simply enable it through https://support.cpanel.net/hc/en-us...disable-functions-Values-for-PHP-FPM-Globally

 

[Black Tiger]

I know how to disable these things and I'm running Directadmin. But thank you anyway.

 

[beerForo]

How do you enable exec when it is not listed as disabled in PHP.INI or htacess?

The following warnings were detected when verifying that your server can run XenForo:
Your server has disabled a core PHP function exec via the disable_functions directive in php.ini. This may cause unexpected problems in XenForo.
These will not prevent you from using XenForo, but they should be resolved if possible to ensure optimal functioning. However, you may still continue with the upgrade.

 

[Black Tiger]

How do you enable exec when it is not listed as disabled in PHP.INI or htacess?

You don't. Only way is to ask your host. But then it is listed in the server's main php.ini.

 

[beerForo]

disable =
is empty for php 8, must have been a false flag.

 

[Black Tiger]

You mean disable_functions = is empty on the main server php.ini?
Odd you getting that message then. Maybe indeed a false flag.