How to test if open_basedir restriction is correctly enforced

[mAurelius]

I have a VPS using FastCGI (WHM/cPanel). As I understand it, in my configuration with FCGI, open_basedir must be set using a php.ini file in each user's /home/ directory (From what I've read, it won't work to do it in the global httpd.conf or global php.ini). 

 

I want to use open_basedir for improved security, as I recently had a hack that involved traversing through different user's directories.

 

I have added this value to a user's home directory php.ini file:

open_basedir = /home/USERNAME/public_html:/usr/lib/php:/usr/local/lib/php:/tmp

 

What I want to know is, is there a way to test that this is functioning properly? How do I know if it is enforcing it as it should? Presumably I would want to try and execute a .php file in another user's directory from within that first user...however I don't know of a good way to test this. Any suggestions would be greatly appreciated. 

[requinix]

Why not just make yourself a test user account, with the settings applied, and see if you can make a script that gets around the restriction. You can save yourself some work by simply verifying that the setting is there and correct and assume that PHP will enforce it.

[kicken]

Note that open_basedir won't prevent someone from reading another users files if you still allow things like exec()/system() as they could just use those to get around the restriction.

 

If you are using PHP-FPM one thing you can do is setup a separate pool for each user and set the chroot directive to lock them into their home directory. There wouldn't be any way the user could get around that restriction.