Where is php.ini when SCL PHP is in effect?

Question

We enabled SCL on CentOS 7 and installed Python 2.7, Apache 2.4 and PHP 7.1. It looks like the updated programs are being used. However, we seem to have a problem with PHP hardening.

First, here is the php.ini we can find:

# find /opt/rh -name php.ini
/opt/rh/rh-php71/register.content/etc/opt/rh/rh-php71/php.ini

Next, we added our disable_functions:

# grep disable_functions /opt/rh/rh-php71/register.content/etc/opt/rh/rh-php71/php.ini
disable_functions=apache_note,apache_setenv,chgrp,closelog,debugger_off,debugger
_on,define_sys,define_syslog_variables,diskfreespace,dl,escapeshellarg,escapeshe
llcmd,exec,getmypid,getmyuid,ini_restore,leak,listen,openlog,passthru,pclose,pcn
tl_alarm,pcntl_exec,pcntl_fork,pcntl_getpriority,pcntl_get_last_error,pcntl_setp
riority,pcntl_signal,pcntl_signal_dispatch,pcntl_sigprocmask,pcntl_sigtimedwait,
pcntl_sigwaitinfo,pcntl_strerror,pcntl_wait,pcntl_waitpid,pcntl_wexitstatus,pcnt
l_wifexited,pcntl_wifsignaled,pcntl_wifstopped,pcntl_wstopsig,pcntl_wtermsig,php
_uname,popen,posix,posix_ctermid,posix_getcwd,posix_getegid,posix_geteuid,posix_
getgid,posix_getgrgid,posix_getgrnam,posix_getgroups,posix_getlogin,posix_getpgi
d,posix_getpgrp,posix_getpid,posix_getpwnam,posix_getpwuid,posix_getrlimit,posix
_getsid,posix_getuid,posix_isatty,posix_kill,posix_mkfifo,posix_setegid,posix_se
teuid,posix_setgid,posix_setpgid,posix_setsid,posix_setuid,posix_times,posix_tty
name,posix_uname,proc_close,proc_get_status,proc_nice,proc_open,proc_terminate,s
hell_exec,show_source,syslog,system,url_exec,_getppid

Finally, when we restart Apache, add a phpinfo.php page, and then inspect the result (this is the real web server result), PHP claims there are no disabled functions:

I think we are using the wrong php.ini, but I can't seem to find the one we are supposed to be using. I can't find it on the filesystem in /opt and search is returning irrelevant results.

My question is, where is php.ini when SCL PHP is in effect?

Answer 1

Software collections install most of their things underneath /opt, but the configuration actually lives underneath /etc/opt. (And I wouldn't be surprised to see a /var/opt either.) The file you found is actually the configuration that is copied into /etc/opt/… by one of the installation scripts in /opt/rh/rh-php71/register.d.

Answer 2

I believe @ulrich-schwarz provided the correct answer, but to expand on his a bit for others who come across this later like I did and didn't see the answer right away.

When the Software Collections are installed, there is a php.ini in the /opt/rh/... directory structure, but as he pointed out, it exists in the /etc/opt/rh/ directory.

In my case, I found that the rh-php56-php package placed the php.ini in /etc/opt/rh/rh-php56/php.ini - simply adding disable_functions = "phpinfo" to the file disabled the function.

To validate this, in /opt/rh/httpd24/root/var/www/html/ create a index.php with this contents:

<html>
 <head>
  <title>PHP Test</title>
 </head>
 <body>
 <?php
    echo '<p>Hello World - '.date('F Y h:i:s A').' </p>';
    phpinfo();
 ?>
 </body>
</html>

A fresh install should produce a page with the current date/time followed by the phpinfo() blocks of text.

Now edit the /etc/opt/rh/rh-php56/php.ini file (substituting in the proper version number), and change the disable_functions line to disable_functions = "phpinfo".

Now restart the HTTP server, systemctl restart httpd24-httpd.service and reload the web page. The time should still be displayed, but the block of phpinfo() text should be missing.

This should also apply to the rh-php70-php, rh-php71-php, rh-php72-php, and rh-php73-php packages - adjust the /etc/opt/rh/rh-php## path accordingly.