Question posted in 
I’m stunned, have absolutely never seen this problem before – I’ve been busy all evening and morning trying to disable shell_exec (and some other functions) through php.ini, but nothing seems to work. If I run phpinfo(), the local value states the functions are disabled and the master value is not set.
However, if I try to run the function (function like shell_exec()), it still works, giving me the output, instead of being disabled.
Any help would be greatly appreciated, we are completely lost. Running Ubuntu with Plesk 11.
Kind regards,
2
Answers
Service Plans > your plan > PHP settings > write “disable_functions=shell_exec” in textbox “Additional configuration directives” – click on Update & Sync
All not locked subscription get this directive in their php.ini files.
I have checked that disable_function doesn’t works until it applied to “local value” and “master value”. When PHP works as Apache module disable_function doesn’t applied to master part. I’m sure it’s happens because in apache mudule there is “Loaded Configuration File” which located in /etc/apache/ or /etc/httpd/.
So, PHP settings is merged from two separate php.ini files – from global and from subscription’s php.ini.
In FastCGI mode “Loaded Configuration File” is a subscription level php.ini, so there is only one php.ini is effective.
So, you following steps is obvious:
– use FastCGI and forbid to change this mode for your users(There is such ability in plesk)
or
– for Apache module add same directive to global php.ini
I can confirm this (and NOT running Plesk). I have this in my PHP-FPM php.ini file:
And a script consisting
works (though it should not!) and actually shows:
So something weird is going on. The correct file and the section are loaded (I can see that from the phpinfo output) but the settings have no effect, not the disable_functions, at least.
Looks like a bug of some sort to me.