|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #13261 More restrictive File-system access
Submitted: 2001-09-12 05:21 UTC Modified: 2010-12-01 16:06 UTC
From: mike dot hall at opencube dot co dot uk Assigned: jani (profile)
Status: Closed Package: Safe Mode/open_basedir
PHP Version: 4.0.6 OS: Any
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Bug Type:
From: mike dot hall at opencube dot co dot uk
New email:
PHP Version: OS:


 [2001-09-12 05:21 UTC] mike dot hall at opencube dot co dot uk
echo `ls /home`;

In a virtual host situation, this is very dangerous. On my own host - as an experiment - I was able to bring back a directory listing of any other site on the same box. I then did an fread() on his database abstraction script and read the passwords for his database. Then I logged into his MySQL database and was free to mess with his site.

It would be EXTREMELY useful to be able to limit the scope of the filesystem functions so they can only read files inside $DOCUMENT_ROOT. Although that wouldn't stop me from typing `cat /home/user/www/database.php`; and getting the same data. This really needs addressing, guys!


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2001-09-12 05:59 UTC] mike dot hall at opencube dot co dot uk
Just to clarify, a method of specifying open_basedir dynamically would be nice. Sorry I didn't make that clear first time.
 [2001-09-12 11:12 UTC]
You can dynamically assign open_basedir by adding "php_admin_value open_basedir /home/user" to every
Apache VirtualHost block.

The ls /home/user issue is a difficult problem to solve
due to the nature of the webserver module. Since the webserver module runs as user nobody, you are forced to open restrictions on users home directories and files to allow apache to read other users' php scripts. 

There are ways you can customize your hosting environment to get around the webserver module problem. 

b. Turing on safe_mode and setting the exec dir to point to a set of customized unix commands that lock users into there directory
c. hacking php to your environment

Currently, the best method is compiling php as cgi-bin module, and enabling safe_mode.

I have a project waiting on my todo list that could possibly solve a good majority the virtual hosting 
problems with php. If you are interested in this 
monitor the php-dev mailing list


 [2010-12-01 16:06 UTC]
-Status: Analyzed +Status: Closed -Package: Feature/Change Request +Package: *General Issues -Assigned To: +Assigned To: jani
 [2010-12-01 16:06 UTC]
Safe-mode will be gone in future. Tightening open_basedir is now possible since 5.3 something.
 [2010-12-01 16:06 UTC]
-Package: *General Issues +Package: Safe Mode/open_basedir
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Mon Sep 20 03:03:36 2021 UTC