Monday, 13 April 2015

Restrict Filesystem Access to a Specific Directory

If your application must operate on the filesystem, you can set the open_basedir
option to further secure the application by restricting access to a specific directory.If
open_basedir is set in php.ini, PHP limits filesystem and I/O functions so that they
can operate only within that directory or any of its subdirectories. For example:

open_basedir = /some/path

With this configuration in effect, the following function calls succeed:


But these generate runtime errors:

$fp = fopen ("/some/other/file.exe", "r");
$dp = opendir("/some/path/../other/file.exe");

Of course, one web server can run many applications, and each application typically
stores files in its own directory.You can configure open_basedir on a per-virtual host
basis in your httpd.conf file like this:

DocumentRoot /web/sites/domainA
php_admin_value open_basedir /web/sites/domainA

Similarly, you can configure it per directory or per URL in httpd.conf:

# by directory
<Directory /home/httpd/html/app1>
php_admin_value open_basedir /home/httpd/html/app1
# by URL
<Location /app2>
php_admin_value open_basedir /home/httpd/html/app2

The open_basedir directory can be set only in the httpd.conf file, not in .htaccess files, and you must use php_admin_value to set it.