ID: 50488 Updated by: [email protected] Reported By: lars dot plessmann at gmx dot de Status: Open Bug Type: Safe Mode/open_basedir Operating System: OpenSUSE 2.6.18-028stab064.7 PHP Version: 5.3.1 New Comment:
If you used FastCGI you would have access to much better way to configure PHP: http://www.php.net/manual/en/ini.sections.php But for old skool (Apache), perhaps better idea would be to add something like this: php_admin_value_append open_basedir ":/my/path" Which would add it rather than overwrite. We already have the basic elements there as you can tighten it during runtime: http://www.php.net/manual/en/ini.core.php#ini.open-basedir That example is not so good. When you do ini_set(), you just pass new path there. This should also work from .htaccess the same way. :) It will be appended to open_basedir then. Previous Comments: ------------------------------------------------------------------------ [2009-12-16 09:19:51] lars dot plessmann at gmx dot de Description: ------------ This is more a feature request for PHP. If you are running apache with vhosts support, you need to set the open_basedir for each vhost for security reasons. The problem is, you cannot set a global open_basedir setting which is valid all time for any vhost (in the php.ini e.g.)! If the open_basdir setting is new set in a httpd.conf vhost-section, the global value will be overwritten. In this case you have to set the "global" setting in the httpd.conf vhost-section again. This is very much administration overhead! And the very most problem is, the httpd.conf vhost sections are often automatically generated (think about PLESK or other webhosting tools). A new option called something like "global_open_basedir" would be very appreciated for directories like /Tmp-Dir /Path-To-Pear-Installation etc. Reproduce code: --------------- *** php.ini *** ; open_basedir, if set, limits all file operations to the defined directory ; and below. This directive makes most sense if used in a per-directory ; or per-virtualhost web server configuration file. This directive is ; *NOT* affected by whether Safe Mode is turned On or Off. open_basedir = "/tmp:/usr/share/php5/PEAR" **************** *** httpd.conf *** <VirtualHost xx.xx.xx.xx:80> [...] php_admin_flag engine on php_admin_flag safe_mode off php_admin_value open_basedir "/srv/www/vhosts/domain1.tld/httpdocs:/tmp:/usr/share/php5/PEAR" [...] </VirtualHost> <VirtualHost xx.xx.xx.xx:80> [...] php_admin_flag engine on php_admin_flag safe_mode off php_admin_value open_basedir "/srv/www/vhosts/domain2.tld/httpdocs:/tmp:/usr/share/php5/PEAR" [...] </VirtualHost> [some other 50 vhosts...] **************** Expected result: ---------------- *** php.ini *** ; open_basedir, if set, limits all file operations to the defined directory ; and below. This directive makes most sense if used in a per-directory ; or per-virtualhost web server configuration file. This directive is ; *NOT* affected by whether Safe Mode is turned On or Off. ; ;open_basedir = ; valid for any vhost if not overwritten global_open_basedir = "/tmp:/usr/share/php5/PEAR" **************** *** httpd.conf *** <VirtualHost xx.xx.xx.xx:80> [...] php_admin_flag engine on php_admin_flag safe_mode off php_admin_value open_basedir "/srv/www/vhosts/domain1.tld/httpdocs" [...] </VirtualHost> <VirtualHost xx.xx.xx.xx:80> [...] php_admin_flag engine on php_admin_flag safe_mode off php_admin_value open_basedir "/srv/www/vhosts/domain2.tld/httpdocs" [...] </VirtualHost> [some other 50 vhosts...] **************** Actual result: -------------- at the moment you can set the open_basedir configuration in php.ini but you cannot extend it with further directories in the vhost-section part. So, you do automatically overwrite the open_basedir setting in the vhost-section part which is not very handy for administrative tasks. A sepparate global_open_basedir setting would solve the problem and offer more control and less work for system administrators. ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=50488&edit=1
