I'm obviously not the first one to have this problem, but I cannot not find an answer to this situation.
I want to lock down PHP a bit, more specifically the use of disable_functions. The environment is CentOS 6.2/PHP 5.3.3 fcgid/Apache 2.2.15:
Whats the proper apache config (AllowOverride, etc) to disable any PHP setting to be changed via .htaccess? All other overrides are ok (current setting is AllowOverride All)
Whats the proper config to forbid effective use of disable_functions in all but the master php.ini (as in forbid use of disable_functions in /home/myvhost/etc/php5/php.ini or any directory within in that vhost public_html. another way to say this: the only effective disable_functions comes from the master php.ini)?
If #2 is not possible, at least whats the proper config to disallow a vhost owner to effectively use any php.ini but the vhost main one (/home/myvhost/etc/php5/php.ini)?
Thanks
.htaccessonly overrides PHP whenmod_phpis used, and doing so requiresOptionsoverride permissions. All other cases, you cannot directly override ini options from the htaccess file, but withFileInfoyou may be able to override the default FCGI handler to point to an alternate fcgi handler with a flag to tell php to use an alternate .ini file.I do not believe this is possible.
Don't allow vhosts to override FileInfo.
FileInfo allows htaccess files to override
AddHandler,SetHandlerandActionfor CGIs as well asFcgidWrapperfor mod_fcgid.