How to Disable PHP from Running exec

Posted in Featured Tutorials

Tweet This Share on Facebook Bookmark on Delicious Digg this Submit to Reddit

PHP scripts has the ability to run Linux/Unix commands by using the PHP function exec(). That means that anyone with FTP access to your webserver can write a PHP script to execute Unix commands such as delete files with “rm” on your server.

This opens a bit of vulnerability. It may be that some legitimate web application may need to use the exec() function. But if you don’t have such need and you want to make your server more secure, you can configure PHP in the php.ini file to disable the ability to run the exec() function.

Find the line “disable_functions” in the php.ini file (which may be in your public root of your webserver).

Add the functions that you want to disable to that line as in …

disable_functions = exec

Now when a PHP script tries to run the exec function, it will not run and may display a warning instead …

Warning: exec() has been disabled for security reasons in ...

To make sure that you have disabled it properly, you can see a list of disabled functions when you run phpinfo() and look for the “disable_functions” directive.

May Not Work if …

You are trying to do this on a php.ini file that is in a sub-directory instead of public root. May need to restart the service.

Going Further

There are many other “dangerous” PHP commands similar to exec() which you can append to that statement by separating them with commas. See article on cyberciti.biz for some of those functions.