Reference: Vladimir vs Hosting Industry – PHP & system functions – Vladimir Smitka
You should block function putenv to protect your websites from local attacks; currently, Hestiacp does not have putenv in the blocked list.
Here is a minimal set of functions that should definitely be disabled
system exec shell_exec passthru proc_open popen pcntl_exec putenv
HestiaCP is wonderful. You can easily define your own restricted php templates in /usr/local/hestia/data/templates/web/php-fpm
Or just edit php.ini
PHP.ini things can not be defined via /usr/local/hestia/data/templates/web/php-fpm/*(it only for FPM), and such edits like disable_functions will be overwritten with user/webdomain rebuild or HestiaCP updates.
You can search at /usr/local/hestia/ to see *.sh scripts that forcing such disable_functions overwrites with sed.
@eris any chance to preserve disable_functions over any HestiaCP updates or config rubuilds? Post-install hooks?