PHP :: Request #50488 :: global setting for open_basedir in combination with virtual hosts needed

global setting for open_basedir in combination with virtual hosts needed

Submitted:

2009-12-16 09:19 UTC

Modified:

2020-11-09 17:46 UTC

Votes:	3
Avg. Score:	3.7 ± 0.9
Reproduced:	2 of 2 (100.0%)
Same Version:	2 (100.0%)
Same OS:	2 (100.0%)

From:

lars dot plessmann at gmx dot de

Assigned:

Status:

Suspended

Package:

Safe Mode/open_basedir

PHP Version:

OS:

Private report:

CVE-ID:

None

View Developer Edit

[2009-12-16 09:19 UTC] lars dot plessmann at gmx dot de

Description:
------------
This is more a feature request for PHP.

If you are running apache with vhosts support, you need to set the open_basedir for each vhost for security reasons.

The problem is, you cannot set a global open_basedir setting which is valid all time for any vhost (in the php.ini e.g.)! 
If the open_basdir setting is new set in a httpd.conf vhost-section, the global value will be overwritten. In this case you have to set the "global" setting in the httpd.conf vhost-section again. This is very much administration overhead! And the very most problem is, the httpd.conf vhost sections are often automatically generated (think about PLESK or other webhosting tools).

A new option called something like "global_open_basedir" would be very appreciated for directories like /Tmp-Dir /Path-To-Pear-Installation etc.

Reproduce code:
---------------
*** php.ini ***
; open_basedir, if set, limits all file operations to the defined directory
; and below.  This directive makes most sense if used in a per-directory
; or per-virtualhost web server configuration file. This directive is
; *NOT* affected by whether Safe Mode is turned On or Off.
open_basedir = "/tmp:/usr/share/php5/PEAR"
****************


*** httpd.conf ***
<VirtualHost xx.xx.xx.xx:80>
   [...]
   php_admin_flag engine on
   php_admin_flag safe_mode off
   php_admin_value open_basedir "/srv/www/vhosts/domain1.tld/httpdocs:/tmp:/usr/share/php5/PEAR"
[...]
</VirtualHost>

<VirtualHost xx.xx.xx.xx:80>
   [...]
   php_admin_flag engine on
   php_admin_flag safe_mode off
   php_admin_value open_basedir "/srv/www/vhosts/domain2.tld/httpdocs:/tmp:/usr/share/php5/PEAR"
[...]
</VirtualHost>

[some other 50 vhosts...]
****************

Expected result:
----------------
*** php.ini ***
; open_basedir, if set, limits all file operations to the defined directory
; and below.  This directive makes most sense if used in a per-directory
; or per-virtualhost web server configuration file. This directive is
; *NOT* affected by whether Safe Mode is turned On or Off.
;
;open_basedir =

; valid for any vhost if not overwritten
global_open_basedir = "/tmp:/usr/share/php5/PEAR"
****************


*** httpd.conf ***
<VirtualHost xx.xx.xx.xx:80>
   [...]
   php_admin_flag engine on
   php_admin_flag safe_mode off
   php_admin_value open_basedir "/srv/www/vhosts/domain1.tld/httpdocs"
[...]
</VirtualHost>

<VirtualHost xx.xx.xx.xx:80>
   [...]
   php_admin_flag engine on
   php_admin_flag safe_mode off
   php_admin_value open_basedir "/srv/www/vhosts/domain2.tld/httpdocs"
[...]
</VirtualHost>

[some other 50 vhosts...]
****************

Actual result:
--------------
at the moment you can set the open_basedir configuration in php.ini but you cannot extend it with further directories in the vhost-section part. 
So, you do automatically overwrite the open_basedir setting in the vhost-section part which is not very handy for administrative tasks.
A sepparate global_open_basedir setting would solve the problem and offer more control and less work for system administrators.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2009-12-16 10:43 UTC] jani@php.net

If you used FastCGI you would have access to much better way to configure PHP:

  http://www.php.net/manual/en/ini.sections.php

But for old skool (Apache), perhaps better idea would be to add something like this:

  php_admin_value_append open_basedir ":/my/path"

Which would add it rather than overwrite. We already have the basic elements there as you can tighten it during runtime: 

  http://www.php.net/manual/en/ini.core.php#ini.open-basedir

That example is not so good. When you do ini_set(), you just pass new path there. This should also work from .htaccess the same way. :)
It will be appended to open_basedir then.

[2009-12-16 11:16 UTC] lars dot plessmann at gmx dot de

Pardon, but that does not really help for me.
You're right I do not use the FastCGI Version. I use PHP as apache module like many others.

In many cases the configuration of a httpd.conf is handled by a configuration tool like Parallels PLESK or some other tool. The httpd.conf is built up by templates and you cannot change them or you shouldn't/mustn't. In PLESK there is the possibility to extend the httpd.include file (it's the vhost configuration) by a sepparate userdefined file vhost.conf (will be included at the end of the httpd.include).
The problem about is, that you have to change many vhost files if the open_basedir definition has to be changed. At the moment you cannot change it at one place. That is very annoying.
I know - that is not a special PHP problem now, but offering a global_open_basedir variable would help for this case very much. It's up to everybodys self to use the feature or leave it as it is (default it should not be set of course).

Normally the "correct" paths for the open_basedir definition are already set up by the webhoster provider, but its PEAR which makes so many problems... Of course, you can set up an own PEAR environment for each virtual host, but that means much administation overhead again...

Just google for PEAR and open_basedir and you'll find thousends of results. Webhoster cannot properly set up a secure environment and often users remove the open_basedir definition completely that their scripts run. So it dues to a fatal security lack. Thats not good.

Anyway, I thank you for the tipp by extending the basedir. I haven't known that up to now!

[2009-12-16 12:43 UTC] jani@php.net

I did not offer you any solution there, just pointed out some facts. And it's still better idea to add common php_admin_value_append in Apache than yet another ini option. Reclassified since this isn't a bug.

[2010-11-24 10:01 UTC] jani@php.net

-Package: Feature/Change Request +Package: Safe Mode/open_basedir -PHP Version: 5.3, 6 +PHP Version: *

[2020-11-09 17:46 UTC] cmb@php.net

-Status: Open +Status: Suspended

[2020-11-09 17:46 UTC] cmb@php.net

Is this feature request still relevant?  If so, please forward the
request to the internals mailing list[1], since it obviouly
requires discussion for which this bug tracker is not suitable.
For the time being, I'm suspending this ticket.

[1] <https://www.php.net/mailing-lists.php#internals>

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sat Dec 21 15:01:29 2024 UTC