PHP :: Request #5575 :: open

open_basedir to ~

Submitted:

2000-07-14 04:56 UTC

Modified:

2015-02-17 07:50 UTC

Votes:	15
Avg. Score:	3.9 ± 1.2
Reproduced:	7 of 9 (77.8%)
Same Version:	0 (0.0%)
Same OS:	5 (71.4%)

From:

greg at netserv dot net dot au

Assigned:

Status:

Wont fix

Package:

*General Issues

PHP Version:

4.0.1pl2

OS:

Linux

Private report:

CVE-ID:

None

View Developer Edit

[2000-07-14 04:56 UTC] greg at netserv dot net dot au

is it possible to make open_basedir setable to ~ so the base of the script can be the home directory of the owner of the script.
I have set it to . so one users cant just do a fopen on another users scripts
This has the side effect that using mutiple directories for a set of scripts is very tricky as the scripts cant include files from directories next to or below them selves. 

I havent fully tested this but it also seems that the restrictions that mean you cant create a file in safe mode with open_basedir set seem to mean that the tmp_uploads arent possible Is it possible to make tmp_uploaddir  also setable to ~/tmp

or allow tmp_upload to over ride the create restrictions to allow for dynamic tempoary file names.

It seems to me that many people are relying on the security of their phpscripts when another user on the system can simply read their files useing the common "nobody" permissions

Thanks Greg

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2010-08-07 01:37 UTC] johannes@php.net

-Package: Feature/Change Request +Package: *General Issues

[2010-08-07 01:37 UTC] johannes@php.net

This won't make sense in mostconfiguartions, it can be setper vhost in httpd.conf, though.

[2012-02-03 20:22 UTC] bill9 at windhome dot com

You can set it to the equivalent /home/loginid/

But be careful what you wish for, malware php files have access to your whole
folder structure, even if you dont set open_basedir.

open_basedir is a nice safe feature to limit the scope of php scripts
to your file system, ideally to only folders where a misbehaving script can do no 
harm.

[2015-02-17 07:50 UTC] krakjoe@php.net

-Status: Open +Status: Wont fix

[2015-02-17 07:50 UTC] krakjoe@php.net

As mentioned, this doesn't make sense in most configurations, and in addition, at least one operating system.

Since there is already enough ways to set this configuration option, and since this has been open for such a long time, I'm calling an end, and marking won't fix.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Tue Nov 04 06:00:01 2025 UTC