Force Users to Use a Global PHP.ini (SuPHP on cPanel)

SuPHP has various security enhancements over DSO PHP such as running processes as the user rather than nobody as well as only allowing 755 folder and 644 file permissions, the (default) option (on cpanel) to allow individual php.ini files is a security concern.

There are several methods that can be used to disallow users to have their own php.ini files under suPHP. The path you take will depend on whether you want to allow users to have their own in some circumstances or to restrict all accounts on the server to the global php.ini file at /usr/local/lib/php.ini location.

Force all accounts to use the global php.ini file

To force all users to use the global php.ini file, you would edit the /opt/suphp/etc/suphp.conf file:

Uncomment these lines:

 [phprc_paths]
 ;Uncommenting these will force all requests to that handler to use the php.ini
 ;in the specified directory regardless of suPHP_ConfigPath settings.
 ;application/x-httpd-php=/usr/local/lib/
 ;application/x-httpd-php4=/usr/local/php4/lib/
 ;application/x-httpd-php5=/usr/local/lib/

To these:

 [phprc_paths]
 ;Uncommenting these will force all requests to that handler to use the php.ini
 ;in the specified directory regardless of suPHP_ConfigPath settings.
 application/x-httpd-php=/usr/local/lib/
 application/x-httpd-php4=/usr/local/php4/lib/
 application/x-httpd-php5=/usr/local/lib/

Save the file, then restart Apache for good measure:

/scripts/restartsrv_httpd

Now, if any account tries to put suPHP_ConfigPath into their .htaccess file, that account will return an Internal Server Error until they remove the .htaccess line. No account will be able to use another php.ini file with this as the default unless you allow the account in the php.ini file itself.