How to restrict php directives using php_admin_value and php_admin_flag

Let’s say you are dealing with a shared Apache server running PHP as an Apache module, you have several websites running, and you don’t want to let some php directives being changed. You allow the modifications of the directives such as  display_errors but you don’t want memory_limit to be changed by any of the users (let’s say 128M) also, you don’t want to say that your server runs PHP (i.e expose_php off).

It’s possible to change the values of the php.ini directives in three differents ways:

  • apache configuration (i.e virtualhost(s), apache2.conf, etc …)
  • .htaccess (if AllowOverride Options or AllowOverride All)
  • ini_set function

There are two ways to force the values of the php directives and make them unchangeable from .htaccess or with ini_set function.

php_admin_value <setting> <value>

This one forces a directive to a certain value (non boolean), for example:

php_admin_value memory_limit 128M

We force memory_limit to 128M.

php_admin_flag <setting> <on|off>

This one does the same but for a boolean value, for example:

php_admin_flag expose_php off

There the directive expose_php will be unset.

To do this for ALL the websites on your server, you can edit your /etc/apache2/apache2.conf (may change if you have httpd) and put this content at the end:

Include php_restrictions

Create the file  /etc/apache2/php_restrictions, and add this content:

php_admin_value memory_limit 200M
php_admin_flag expose_php off

You can add as many rules as you wish, then reload your webserver like that (may change if you have httpd):

/etc/init.d/apache2 reload

To do this for only ONE specific website (i.e virtualhost), just set the rules inside the virtualhost like that:

    DocumentRoot /var/www/test
    # now the rules
    php_admin_value memory_limit 128M
    php_admin_flag expose_php off

This will apply only to the website.

Then you need to reload the webserver too.

Voilà, you have restricted some directives and some others are still changeable.

Though, some directives cannot be changed inside apache2.conf or virtualhost(s), you may check the documentation .