Allow exec on php

wav3front

Hi,

"exec" function is disabled by default. How can I enable it?

Thanks
Alex

cPFence

It’s not disabled by default. Check Main CP > Settings > Service > Application > disabled_functions , it might be set there and inherited across all servers.

That said, it’s recommended to keep it disabled along with other risky functions, and only use the override feature in Enhance for specific sites that actually need it.

Helix

cPFence Isn't that just preset default values that the user can override? Values set on that page can at least be changed by the users on our Enhance cluster.

I also thought the idea of containerization/compartalization of users that Enhance did, is to allow the use of all php functions, even scary ones that one should disable in a shared environment.
This is perfectly fine when using a properly hardened CloudLinux at least, to allow all php functions that is.

Anyway, disabled_functions should be set elsewhere, where they are not overridable by the user.

cPFence

Helix

If you want to prevent users from editing php.ini, you can disable it in the package settings:
Edit Package > Features > Allow php.ini editor

Just be ready for more support tickets from users complaining about the missing feature if you disable it.

Containerization is great, and in 2025, it’s a must-have. It helps prevent one infected site from affecting other sites or compromising the entire server. But it won’t protect the compromised site itself, once a site is vulnerable, containerization doesn’t stop the damage within that container. That’s why it’s still your responsibility as a hosting provider to secure each site individually. Setting disabled functions globally as a default is a smart move, it adds a strong extra layer to your overall security.

Helix

cPFence Yeah I get that and we do follow the practise of disabling functions.
However disabling the editing of php.ini also removes the ability for the user to set basic parameters like upload size and execution time, which is not optimal. Optimally we would like to allow the user to change some php parameters but not everything. Currently it is all or nothing.

cPFence

Helix Optimally we would like to allow the user to change some php parameters but not everything. Currently it is all or nothing.

Sounds like a cool feature request candidate. Per-parameter control would be a smart addition.