From be7d15eeefe191825f2a5082caee2cd5372a8a16 Mon Sep 17 00:00:00 2001
From: joglomedia <eslabs.id@gmail.com>
Date: Mon, 14 Oct 2019 21:54:05 +0700
Subject: [PATCH] enhance php security

---
 etc/php/5.6/fpm/pool.d/lemper.conf | 5 ++++-
 etc/php/7.0/fpm/pool.d/lemper.conf | 5 ++++-
 etc/php/7.1/fpm/pool.d/lemper.conf | 5 ++++-
 etc/php/7.2/fpm/pool.d/lemper.conf | 5 ++++-
 etc/php/7.3/fpm/pool.d/lemper.conf | 4 +++-
 etc/php/7.4/fpm/pool.d/lemper.conf | 4 +++-
 6 files changed, 22 insertions(+), 6 deletions(-)

diff --git a/etc/php/5.6/fpm/pool.d/lemper.conf b/etc/php/5.6/fpm/pool.d/lemper.conf
index d3f0e8f..dfadbcf 100644
--- a/etc/php/5.6/fpm/pool.d/lemper.conf
+++ b/etc/php/5.6/fpm/pool.d/lemper.conf
@@ -25,8 +25,10 @@ chdir = /home/lemper
 
 security.limit_extensions = .php .php5 .php56
 
-;php_admin_value[sendmail_path] = /usr/sbin/sendmail -t -i -f you@yourmail.com
+; Custom PHP ini settings.
 php_flag[display_errors] = on
+php_admin_value[error_reporting] = E_ALL & ~E_NOTICE & ~E_WARNING & ~E_STRICT & ~E_DEPRECATED
+php_admin_value[disable_functions] = pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,exec,passthru,popen,proc_open,shell_exec,system
 php_admin_value[error_log] = /var/log/php/php5.6-fpm.$pool.log
 php_admin_flag[log_errors] = on
 php_admin_value[memory_limit] = 128M
@@ -34,3 +36,4 @@ php_admin_value[open_basedir] = /home/lemper
 php_admin_value[upload_tmp_dir] = /home/lemper/.tmp
 php_admin_value[upload_max_filesize] = 10M
 php_admin_value[opcache.file_cache] = /home/lemper/.opcache
+;php_admin_value[sendmail_path] = /usr/sbin/sendmail -t -i -f you@yourmail.com
diff --git a/etc/php/7.0/fpm/pool.d/lemper.conf b/etc/php/7.0/fpm/pool.d/lemper.conf
index 66ef951..d7b2383 100644
--- a/etc/php/7.0/fpm/pool.d/lemper.conf
+++ b/etc/php/7.0/fpm/pool.d/lemper.conf
@@ -28,8 +28,10 @@ chdir = /home/lemper
 
 security.limit_extensions = .php .php7 .php70
 
-;php_admin_value[sendmail_path] = /usr/sbin/sendmail -t -i -f you@yourmail.com
+; Custom PHP ini settings.
 php_flag[display_errors] = on
+php_admin_value[error_reporting] = E_ALL & ~E_NOTICE & ~E_WARNING & ~E_STRICT & ~E_DEPRECATED
+php_admin_value[disable_functions] = pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,exec,passthru,popen,proc_open,shell_exec,system
 php_admin_value[error_log] = /var/log/php/php7.0-fpm.$pool.log
 php_admin_flag[log_errors] = on
 php_admin_value[memory_limit] = 128M
@@ -37,3 +39,4 @@ php_admin_value[open_basedir] = /home/lemper
 php_admin_value[upload_tmp_dir] = /home/lemper/.tmp
 php_admin_value[upload_max_filesize] = 10M
 php_admin_value[opcache.file_cache] = /home/lemper/.opcache
+;php_admin_value[sendmail_path] = /usr/sbin/sendmail -t -i -f you@yourmail.com
diff --git a/etc/php/7.1/fpm/pool.d/lemper.conf b/etc/php/7.1/fpm/pool.d/lemper.conf
index a59c6de..4418ab4 100644
--- a/etc/php/7.1/fpm/pool.d/lemper.conf
+++ b/etc/php/7.1/fpm/pool.d/lemper.conf
@@ -29,8 +29,10 @@ chdir = /home/lemper
 
 security.limit_extensions = .php .php7 .php71
 
-;php_admin_value[sendmail_path] = /usr/sbin/sendmail -t -i -f you@yourmail.com
+; Custom PHP ini settings.
 php_flag[display_errors] = on
+php_admin_value[error_reporting] = E_ALL & ~E_NOTICE & ~E_WARNING & ~E_STRICT & ~E_DEPRECATED
+php_admin_value[disable_functions] = pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,exec,passthru,popen,proc_open,shell_exec,system
 php_admin_value[error_log] = /var/log/php/php7.1-fpm.$pool.log
 php_admin_flag[log_errors] = on
 php_admin_value[memory_limit] = 128M
@@ -38,3 +40,4 @@ php_admin_value[open_basedir] = /home/lemper
 php_admin_value[upload_tmp_dir] = /home/lemper/.tmp
 php_admin_value[upload_max_filesize] = 10M
 php_admin_value[opcache.file_cache] = /home/lemper/.opcache
+;php_admin_value[sendmail_path] = /usr/sbin/sendmail -t -i -f you@yourmail.com
diff --git a/etc/php/7.2/fpm/pool.d/lemper.conf b/etc/php/7.2/fpm/pool.d/lemper.conf
index 429adac..e42dcc6 100644
--- a/etc/php/7.2/fpm/pool.d/lemper.conf
+++ b/etc/php/7.2/fpm/pool.d/lemper.conf
@@ -29,8 +29,10 @@ chdir = /home/lemper
 
 security.limit_extensions = .php .php7 .php72
 
-;php_admin_value[sendmail_path] = /usr/sbin/sendmail -t -i -f you@yourmail.com
+; Custom PHP ini settings.
 php_flag[display_errors] = on
+php_admin_value[error_reporting] = E_ALL & ~E_NOTICE & ~E_WARNING & ~E_STRICT & ~E_DEPRECATED
+php_admin_value[disable_functions] = pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,exec,passthru,popen,proc_open,shell_exec,system
 php_admin_value[error_log] = /var/log/php/php7.2-fpm.$pool.log
 php_admin_flag[log_errors] = on
 php_admin_value[memory_limit] = 128M
@@ -38,3 +40,4 @@ php_admin_value[open_basedir] = /home/lemper
 php_admin_value[upload_tmp_dir] = /home/lemper/.tmp
 php_admin_value[upload_max_filesize] = 10M
 php_admin_value[opcache.file_cache] = /home/lemper/.opcache
+;php_admin_value[sendmail_path] = /usr/sbin/sendmail -t -i -f you@yourmail.com
diff --git a/etc/php/7.3/fpm/pool.d/lemper.conf b/etc/php/7.3/fpm/pool.d/lemper.conf
index 455bc1a..ecf06d5 100644
--- a/etc/php/7.3/fpm/pool.d/lemper.conf
+++ b/etc/php/7.3/fpm/pool.d/lemper.conf
@@ -30,7 +30,8 @@ security.limit_extensions = .php .php7 .php73
 
 ; Custom PHP ini settings.
 php_flag[display_errors] = on
-;php_admin_value[sendmail_path] = /usr/sbin/sendmail -t -i -f you@yourmail.com
+php_admin_value[error_reporting] = E_ALL & ~E_NOTICE & ~E_WARNING & ~E_STRICT & ~E_DEPRECATED
+php_admin_value[disable_functions] = pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,exec,passthru,popen,proc_open,shell_exec,system
 php_admin_value[error_log] = /var/log/php/php7.3-fpm.$pool.log
 php_admin_flag[log_errors] = on
 php_admin_value[memory_limit] = 128M
@@ -38,3 +39,4 @@ php_admin_value[open_basedir] = /home/lemper
 php_admin_value[upload_tmp_dir] = /home/lemper/.tmp
 php_admin_value[upload_max_filesize] = 10M
 php_admin_value[opcache.file_cache] = /home/lemper/.opcache
+;php_admin_value[sendmail_path] = /usr/sbin/sendmail -t -i -f you@yourmail.com
diff --git a/etc/php/7.4/fpm/pool.d/lemper.conf b/etc/php/7.4/fpm/pool.d/lemper.conf
index 7a13a7c..646aede 100644
--- a/etc/php/7.4/fpm/pool.d/lemper.conf
+++ b/etc/php/7.4/fpm/pool.d/lemper.conf
@@ -30,7 +30,8 @@ security.limit_extensions = .php .php7 .php74
 
 ; Custom PHP ini settings.
 php_flag[display_errors] = on
-;php_admin_value[sendmail_path] = /usr/sbin/sendmail -t -i -f you@yourmail.com
+php_admin_value[error_reporting] = E_ALL & ~E_NOTICE & ~E_WARNING & ~E_STRICT & ~E_DEPRECATED
+php_admin_value[disable_functions] = pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,exec,passthru,popen,proc_open,shell_exec,system
 php_admin_value[error_log] = /var/log/php/php7.4-fpm.$pool.log
 php_admin_flag[log_errors] = on
 php_admin_value[memory_limit] = 128M
@@ -38,3 +39,4 @@ php_admin_value[open_basedir] = /home/lemper
 php_admin_value[upload_tmp_dir] = /home/lemper/.tmp
 php_admin_value[upload_max_filesize] = 10M
 php_admin_value[opcache.file_cache] = /home/lemper/.opcache
+;php_admin_value[sendmail_path] = /usr/sbin/sendmail -t -i -f you@yourmail.com