|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #5575 open_basedir to ~
Submitted: 2000-07-14 04:56 UTC Modified: 2015-02-17 07:50 UTC
Avg. Score:3.9 ± 1.2
Reproduced:7 of 9 (77.8%)
Same Version:0 (0.0%)
Same OS:5 (71.4%)
From: greg at netserv dot net dot au Assigned:
Status: Wont fix Package: *General Issues
PHP Version: 4.0.1pl2 OS: Linux
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2000-07-14 04:56 UTC] greg at netserv dot net dot au
is it possible to make open_basedir setable to ~ so the base of the script can be the home directory of the owner of the script.
I have set it to . so one users cant just do a fopen on another users scripts
This has the side effect that using mutiple directories for a set of scripts is very tricky as the scripts cant include files from directories next to or below them selves. 

I havent fully tested this but it also seems that the restrictions that mean you cant create a file in safe mode with open_basedir set seem to mean that the tmp_uploads arent possible Is it possible to make tmp_uploaddir  also setable to ~/tmp

or allow tmp_upload to over ride the create restrictions to allow for dynamic tempoary file names.

It seems to me that many people are relying on the security of their phpscripts when another user on the system can simply read their files useing the common "nobody" permissions

Thanks Greg


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2010-08-07 01:37 UTC]
-Package: Feature/Change Request +Package: *General Issues
 [2010-08-07 01:37 UTC]
This won't make sense in mostconfiguartions, it can be setper vhost in httpd.conf, though.
 [2012-02-03 20:22 UTC] bill9 at windhome dot com
You can set it to the equivalent /home/loginid/

But be careful what you wish for, malware php files have access to your whole
folder structure, even if you dont set open_basedir.

open_basedir is a nice safe feature to limit the scope of php scripts
to your file system, ideally to only folders where a misbehaving script can do no 
 [2015-02-17 07:50 UTC]
-Status: Open +Status: Wont fix
 [2015-02-17 07:50 UTC]
As mentioned, this doesn't make sense in most configurations, and in addition, at least one operating system.

Since there is already enough ways to set this configuration option, and since this has been open for such a long time, I'm calling an end, and marking won't fix.
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Fri Jul 30 05:01:24 2021 UTC