php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #5575 open_basedir to ~
Submitted: 2000-07-14 04:56 UTC Modified: 2015-02-17 07:50 UTC
Votes:15
Avg. Score:3.9 ± 1.2
Reproduced:7 of 9 (77.8%)
Same Version:0 (0.0%)
Same OS:5 (71.4%)
From: greg at netserv dot net dot au Assigned:
Status: Wont fix Package: *General Issues
PHP Version: 4.0.1pl2 OS: Linux
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: greg at netserv dot net dot au
New email:
PHP Version: OS:

 

 [2000-07-14 04:56 UTC] greg at netserv dot net dot au
is it possible to make open_basedir setable to ~ so the base of the script can be the home directory of the owner of the script.
I have set it to . so one users cant just do a fopen on another users scripts
This has the side effect that using mutiple directories for a set of scripts is very tricky as the scripts cant include files from directories next to or below them selves. 

I havent fully tested this but it also seems that the restrictions that mean you cant create a file in safe mode with open_basedir set seem to mean that the tmp_uploads arent possible Is it possible to make tmp_uploaddir  also setable to ~/tmp

or allow tmp_upload to over ride the create restrictions to allow for dynamic tempoary file names.

It seems to me that many people are relying on the security of their phpscripts when another user on the system can simply read their files useing the common "nobody" permissions

Thanks Greg


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2010-08-07 01:37 UTC] johannes@php.net
-Package: Feature/Change Request +Package: *General Issues
 [2010-08-07 01:37 UTC] johannes@php.net
This won't make sense in mostconfiguartions, it can be setper vhost in httpd.conf, though.
 [2012-02-03 20:22 UTC] bill9 at windhome dot com
You can set it to the equivalent /home/loginid/

But be careful what you wish for, malware php files have access to your whole
folder structure, even if you dont set open_basedir.

open_basedir is a nice safe feature to limit the scope of php scripts
to your file system, ideally to only folders where a misbehaving script can do no 
harm.
 [2015-02-17 07:50 UTC] krakjoe@php.net
-Status: Open +Status: Wont fix
 [2015-02-17 07:50 UTC] krakjoe@php.net
As mentioned, this doesn't make sense in most configurations, and in addition, at least one operating system.

Since there is already enough ways to set this configuration option, and since this has been open for such a long time, I'm calling an end, and marking won't fix.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Dec 21 14:01:32 2024 UTC