PHP open_basedir

Discussion in 'Web Design & Coding' started by Dark Atheist, May 5, 2008.

  1. Dark Atheist

    Dark Atheist Moderator Political User Folding Team

    Messages:
    6,376
    Location:
    In The Void
    if im reading this right i only need to add the dir of the webserver, so is it just /www or /home/www i have to put in there?

    /home/www is set as doc root in httpd.conf - so im leaning towards that
     
  2. JPRuss

    JPRuss OSNN Addict Folding Team

    Messages:
    77
    Location:
    In the unknown
    If you want top prevent fopen from accessing anything outside of /home/www then your open_basedir should be set to /home/www/ (note the slash at the end)

    If you don't have the slash on the end, it will allow access to any varients of /home/www as well (eg: /home/www1 /home/wwwmyweb, etc)

    If you put just /www/ it would allow access to only things in the directory /www, which I'm guessing does not exist and would probably cause all fopens to fail as well as other functions

    Hope this helps.
     
    Dark Atheist likes this.
  3. Dark Atheist

    Dark Atheist Moderator Political User Folding Team

    Messages:
    6,376
    Location:
    In The Void
    so i was right with /home/www :) apart from the missing / - thanks
     
  4. LordOfLA

    LordOfLA Godlike!

    Messages:
    7,027
    Location:
    Maidenhead, Berkshire, UK
    PHP Security team recommend against open_basedir and setting your file permissions correctly instead.
     
  5. X-Istence

    X-Istence * Political User

    Messages:
    6,498
    Location:
    USA
    Do you have any sources for this? I am unable to find any such reports at all.
     
  6. Dark Atheist

    Dark Atheist Moderator Political User Folding Team

    Messages:
    6,376
    Location:
    In The Void
    strange that as must things i have read say to use open dir and file permissions norm either 444 or 555
     
  7. albybum

    albybum Penguin Rancher

    Messages:
    280
    Location:
    Elizabethton, TN
  8. X-Istence

    X-Istence * Political User

    Messages:
    6,498
    Location:
    USA
    That does not say anything against using open_basedir. It just says it is flawed by design, but it is still a valid part of setting up a properly protected PHP.
     
  9. Dark Atheist

    Dark Atheist Moderator Political User Folding Team

    Messages:
    6,376
    Location:
    In The Void
    if i put /home/www i cant enter my site :p or /home/www/
     
  10. JPRuss

    JPRuss OSNN Addict Folding Team

    Messages:
    77
    Location:
    In the unknown
    You can't enter your site? What error message do you get?
     
  11. Dark Atheist

    Dark Atheist Moderator Political User Folding Team

    Messages:
    6,376
    Location:
    In The Void
    404 :D - i'll have a play with it later, don't have the time atm
     
  12. JPRuss

    JPRuss OSNN Addict Folding Team

    Messages:
    77
    Location:
    In the unknown
    Okay, good luck. It seems odd that a change to open_basedir would affect the ability to actually read the files.

    A few quick things to check

    a) are your actual web files stored in the directory /home/www ?
    b) Do the directory containing the files have the correct permissions
    c) Is it possible the directory is /home/WWW/ instead of /home/www/ (case senstivite
    d) Perhaps the specific includes within your files try to access other files outside of /home/www/ if this is the case, then you are actually getting the correct error.

    Hope this helps
     
  13. Dark Atheist

    Dark Atheist Moderator Political User Folding Team

    Messages:
    6,376
    Location:
    In The Void
    a) yes
    b) yes
    c) deff /home/www
    d) doing it on scripts that do not require files out side the root folder

    having a look now, can you add more than one path to that option ?

    Warning: session_start() [function.session-start]: open_basedir restriction in effect. File(/var/tmp) is not within the allowed path(s): (/home/www) in /usr/home/www/phpg/libraries/lib.inc.php on line 56

    Fatal error: session_start() [<a href='function.session-start'>function.session-start</a>]: Failed to initialize storage module: files (path: ) in /usr/home/www/phpg/libraries/lib.inc.php on line 56

    although on others it giving different error(s) or a blank screen, im guessing its because eaccelerator cant access its temp file also and therefore the pages cant look at the cache folder, or could i fool it will a few symlinks ?
     
  14. JPRuss

    JPRuss OSNN Addict Folding Team

    Messages:
    77
    Location:
    In the unknown
    Yep, you seperate them with the colin ( : ) chracter

    eg: /home/www/:/var/tmp/
     
  15. Dark Atheist

    Dark Atheist Moderator Political User Folding Team

    Messages:
    6,376
    Location:
    In The Void
    will try that later server is offline while i clean it out, rather dusty in there :p
     
  16. Dark Atheist

    Dark Atheist Moderator Political User Folding Team

    Messages:
    6,376
    Location:
    In The Void
    i got it working :p - although there is a symlink to /home php doesnt like it so the /home/www ws correct in one way, but the line needed to be /usr/home/www:/var/tmp:/usr/home/_g2data - otherwise some pages did work while others just went to a blank screen :)

    edit: i would rep you jpruss but seems i need to dpread it about a bit before i can rep you again :rolleyes:
     
  17. JPRuss

    JPRuss OSNN Addict Folding Team

    Messages:
    77
    Location:
    In the unknown
    No worries ! Glad you got it working
     
  18. borisP

    borisP OSNN One Post Wonder

    Messages:
    1