Jump to content


How to test if open_basedir restriction is correctly enforced

php open_basedir apache linux whm

  • Please log in to reply
2 replies to this topic

#1 mAurelius

  • New Members
  • Pip
  • Newbie
  • 1 posts

Posted 01 March 2014 - 09:19 PM

I have a VPS using FastCGI (WHM/cPanel). As I understand it, in my configuration with FCGI, open_basedir must be set using a php.ini file in each user's /home/ directory (From what I've read, it won't work to do it in the global httpd.conf or global php.ini). 
I want to use open_basedir for improved security, as I recently had a hack that involved traversing through different user's directories.
I have added this value to a user's home directory php.ini file:
open_basedir = /home/USERNAME/public_html:/usr/lib/php:/usr/local/lib/php:/tmp
What I want to know is, is there a way to test that this is functioning properly? How do I know if it is enforcing it as it should? Presumably I would want to try and execute a .php file in another user's directory from within that first user...however I don't know of a good way to test this. Any suggestions would be greatly appreciated. 

#2 requinix

  • Administrators
  • Lazy Administrator
  • 9,371 posts
  • LocationWA

Posted 02 March 2014 - 04:39 AM

Why not just make yourself a test user account, with the settings applied, and see if you can make a script that gets around the restriction. You can save yourself some work by simply verifying that the setting is there and correct and assume that PHP will enforce it.
The Reimann Zeta Function Trolley Problem | "Summer is when I, the great ice fairy, can show my true power!"

#3 kicken

  • Gurus
  • Wiser? Not exactly.
  • 3,313 posts
  • LocationBonita, FL

Posted 02 March 2014 - 04:56 AM

Note that open_basedir won't prevent someone from reading another users files if you still allow things like exec()/system() as they could just use those to get around the restriction.

If you are using PHP-FPM one thing you can do is setup a separate pool for each user and set the chroot directive to lock them into their home directory. There wouldn't be any way the user could get around that restriction.
Did I help you out? Feeling generous? I accept tips via Bitcoin @ 14mDxaob8Jgdg52scDbvf3uaeR61tB2yC7
Kicken's World⦄ ⦃Recycle old CD's

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users