php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #50488 global setting for open_basedir in combination with virtual hosts needed
Submitted: 2009-12-16 09:19 UTC Modified: 2010-11-24 10:01 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: lars dot plessmann at gmx dot de Assigned:
Status: Open Package: Safe Mode/open_basedir
PHP Version: * OS: *
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: lars dot plessmann at gmx dot de
New email:
PHP Version: OS:

 

 [2009-12-16 09:19 UTC] lars dot plessmann at gmx dot de
Description:
------------
This is more a feature request for PHP.

If you are running apache with vhosts support, you need to set the open_basedir for each vhost for security reasons.

The problem is, you cannot set a global open_basedir setting which is valid all time for any vhost (in the php.ini e.g.)! 
If the open_basdir setting is new set in a httpd.conf vhost-section, the global value will be overwritten. In this case you have to set the "global" setting in the httpd.conf vhost-section again. This is very much administration overhead! And the very most problem is, the httpd.conf vhost sections are often automatically generated (think about PLESK or other webhosting tools).

A new option called something like "global_open_basedir" would be very appreciated for directories like /Tmp-Dir /Path-To-Pear-Installation etc.

Reproduce code:
---------------
*** php.ini ***
; open_basedir, if set, limits all file operations to the defined directory
; and below.  This directive makes most sense if used in a per-directory
; or per-virtualhost web server configuration file. This directive is
; *NOT* affected by whether Safe Mode is turned On or Off.
open_basedir = "/tmp:/usr/share/php5/PEAR"
****************


*** httpd.conf ***
<VirtualHost xx.xx.xx.xx:80>
   [...]
   php_admin_flag engine on
   php_admin_flag safe_mode off
   php_admin_value open_basedir "/srv/www/vhosts/domain1.tld/httpdocs:/tmp:/usr/share/php5/PEAR"
[...]
</VirtualHost>

<VirtualHost xx.xx.xx.xx:80>
   [...]
   php_admin_flag engine on
   php_admin_flag safe_mode off
   php_admin_value open_basedir "/srv/www/vhosts/domain2.tld/httpdocs:/tmp:/usr/share/php5/PEAR"
[...]
</VirtualHost>

[some other 50 vhosts...]
****************

Expected result:
----------------
*** php.ini ***
; open_basedir, if set, limits all file operations to the defined directory
; and below.  This directive makes most sense if used in a per-directory
; or per-virtualhost web server configuration file. This directive is
; *NOT* affected by whether Safe Mode is turned On or Off.
;
;open_basedir =

; valid for any vhost if not overwritten
global_open_basedir = "/tmp:/usr/share/php5/PEAR"
****************


*** httpd.conf ***
<VirtualHost xx.xx.xx.xx:80>
   [...]
   php_admin_flag engine on
   php_admin_flag safe_mode off
   php_admin_value open_basedir "/srv/www/vhosts/domain1.tld/httpdocs"
[...]
</VirtualHost>

<VirtualHost xx.xx.xx.xx:80>
   [...]
   php_admin_flag engine on
   php_admin_flag safe_mode off
   php_admin_value open_basedir "/srv/www/vhosts/domain2.tld/httpdocs"
[...]
</VirtualHost>

[some other 50 vhosts...]
****************

Actual result:
--------------
at the moment you can set the open_basedir configuration in php.ini but you cannot extend it with further directories in the vhost-section part. 
So, you do automatically overwrite the open_basedir setting in the vhost-section part which is not very handy for administrative tasks.
A sepparate global_open_basedir setting would solve the problem and offer more control and less work for system administrators.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2009-12-16 10:43 UTC] jani@php.net
If you used FastCGI you would have access to much better way to configure PHP:

  http://www.php.net/manual/en/ini.sections.php

But for old skool (Apache), perhaps better idea would be to add something like this:

  php_admin_value_append open_basedir ":/my/path"

Which would add it rather than overwrite. We already have the basic elements there as you can tighten it during runtime: 

  http://www.php.net/manual/en/ini.core.php#ini.open-basedir

That example is not so good. When you do ini_set(), you just pass new path there. This should also work from .htaccess the same way. :)
It will be appended to open_basedir then.

 [2009-12-16 11:16 UTC] lars dot plessmann at gmx dot de
Pardon, but that does not really help for me.
You're right I do not use the FastCGI Version. I use PHP as apache module like many others.

In many cases the configuration of a httpd.conf is handled by a configuration tool like Parallels PLESK or some other tool. The httpd.conf is built up by templates and you cannot change them or you shouldn't/mustn't. In PLESK there is the possibility to extend the httpd.include file (it's the vhost configuration) by a sepparate userdefined file vhost.conf (will be included at the end of the httpd.include). 
The problem about is, that you have to change many vhost files if the open_basedir definition has to be changed. At the moment you cannot change it at one place. That is very annoying.
I know - that is not a special PHP problem now, but offering a global_open_basedir variable would help for this case very much. It's up to everybodys self to use the feature or leave it as it is (default it should not be set of course).

Normally the "correct" paths for the open_basedir definition are already set up by the webhoster provider, but its PEAR which makes so many problems... Of course, you can set up an own PEAR environment for each virtual host, but that means much administation overhead again...

Just google for PEAR and open_basedir and you'll find thousends of results. Webhoster cannot properly set up a secure environment and often users remove the open_basedir definition completely that their scripts run. So it dues to a fatal security lack. Thats not good.

Anyway, I thank you for the tipp by extending the basedir. I haven't known that up to now!
 [2009-12-16 12:43 UTC] jani@php.net
I did not offer you any solution there, just pointed out some facts. And it's still better idea to add common php_admin_value_append in Apache than yet another ini option. Reclassified since this isn't a bug. 
 [2010-11-24 10:01 UTC] jani@php.net
-Package: Feature/Change Request +Package: Safe Mode/open_basedir -PHP Version: 5.3, 6 +PHP Version: *
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Fri Oct 18 11:01:27 2019 UTC