safe_mode doesn’t care where a file on disk is; all it cares about is who owns the file. open_basedir is the orthogonal feature. It doesn’t care who owns a file, only where the file exists on disk. You tell PHP which directory it is allowed to open files from, and PHP makes sure that all attempts to access files outside that directory will fail.
The idea is to setup each website so that PHP is only allowed to open PHP files installed for that website.
Switching On open_basedir
The open_basedir setting can be edited in php.ini, but to be honest that makes little sense on a shared hosting server. You’re much better off putting this configuration into the httpd.conf entry for each individual website:
<VirtualHost*:80> ServerName www.example.com DocumentRoot /home/customer1/public_html/www.example.com/ php_admin_flag open_basedir /home/customer1/public_html/www.example.com/ ...
</VirtualHost>
There’s one gotcha with open_basedir that you need to pay close attention to. Despite the name, PHP doesn’t expect open_basedir to be the name of a directory; it treats it as a prefix. The check PHP uses is something like this:
function check_open_basedir($file) { // resolve any symlink $file = realpath($file); $open_basedir = ini_get(“open_basedir”); // check to ensure file is inside open_basedir if (substr($file, 0, strlen($open_basedir)) === $open_basedir) { return false; } return true; }
To make sure that PHP treats open_basedir as a real directory, always put a slash at the end of the value for open_basedir.
open_basedir and PHP 6
For the moment at least, open_basedir will continue to be supported in PHP 6. There’s a slight change to how it is configured (with PHP 5, you can set open_basedir in .htaccess files; with PHP 6 you have to put it in httpd.conf or php.ini) but the actual functionality stays the same.
open_basedir is vulnerable to the same theoretical circumvention as safe_mode, so be careful when installing third party PHP extensions onto a shared server.
Where Do We Go From Here?
I’ve looked at two solutions implemented by PHP 4 & 5 to help make a shared hosting server more secure.
- safe_mode stops you opening up files owned by other customers, but it has the side effect that your web application cannot create files of its own. This feature has been removed from PHP 6.
- open_basedir stops you opening up files outside the specified directory on disk. This feature is still in PHP 6, but can now only be configured from phi.ini and Apache’s httpd.conf.
- Both features rely on third party extensions supporting them. It’s perfectly possible for a third party extension to choose to bypass both features, thus re-creating the security hole we’re trying to close.
In terms of our challenge, both features come close to solving it, but neither is 100% guaranteed to do so. Data security isn’t just a legal obligation, it’s also a moral one, and you can’t meet your moral obligation using these features alone.
Fundamentally, PHP is the wrong place to solve this problem. PHP is trying to overcome a security weakness that it has inherited from Apache (and all other web servers; this isn’t a problem specific to Apache), and in turn they are constrained by the security model implemented by UNIX systems themselves.
Moving up the stack, if the problem can’t be fixed in PHP, maybe Apache can offer some help? I’ll take a look at that in the next article.
This article is part of The Web Platform an on-going series of blog posts about the environment that you need to create and nurture to run your web-based application in. If you have any topics that you’d like to see covered in future articles, please leave them in the comments on this page
