Jump to content

How to test if open_basedir restriction is correctly enforced

Recommended Posts

I have a VPS using FastCGI (WHM/cPanel). As I understand it, in my configuration with FCGI, open_basedir must be set using a php.ini file in each user's /home/ directory (From what I've read, it won't work to do it in the global httpd.conf or global php.ini). 


I want to use open_basedir for improved security, as I recently had a hack that involved traversing through different user's directories.


I have added this value to a user's home directory php.ini file:

open_basedir = /home/USERNAME/public_html:/usr/lib/php:/usr/local/lib/php:/tmp


What I want to know is, is there a way to test that this is functioning properly? How do I know if it is enforcing it as it should? Presumably I would want to try and execute a .php file in another user's directory from within that first user...however I don't know of a good way to test this. Any suggestions would be greatly appreciated. 

Link to comment
Share on other sites

Why not just make yourself a test user account, with the settings applied, and see if you can make a script that gets around the restriction. You can save yourself some work by simply verifying that the setting is there and correct and assume that PHP will enforce it.

Link to comment
Share on other sites

Note that open_basedir won't prevent someone from reading another users files if you still allow things like exec()/system() as they could just use those to get around the restriction.


If you are using PHP-FPM one thing you can do is setup a separate pool for each user and set the chroot directive to lock them into their home directory. There wouldn't be any way the user could get around that restriction.

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.