How to Set for Specific Directory Open_Basedir

How to set for specific directory open_basedir

You can set open_basedir in your Apache configuration file, php.ini, or in a .htaccess file.

I normally set this in an apache config file such as /etc/httpd/conf/httpd.conf.

You will have a directory structure for your current domain/virtual-host and you can add the line directly in there:

<VirtualHost 123.123.123.123:80>
    <Directory /htdocs/unsecured>
        php_admin_value open_basedir "C:/htdocs/unsecured"
    </Directory>
</VirtualHost>

Note: The 123.123.123.123 is the IP address of your domain and this sample block potentially leaves out a lot of data for this configuration only showing what's needed for open_basedir.

In php.ini, you can do this on a much-more general level (and it will be applied to every domain on your server) with:

open_basedir = "/htdocs/unsecured"

In .htaccess, you should be able to use the following (though I haven't tested):

php_value open_basedir "/htdocs/unsecured"

EDIT (Windows path)

Per a comment, you're running xammp on Windows (and not using Virtual Hosts). With this information, I would suggest to put your open_basedir rule in your php.ini file. This should (hopefully) work for you:

open_basedir = "C:\xampp\htdocs\unsecured"

In linux, a : is a field separator. In Windows, the ; is the separator - so this should work, but I am unable to test it personally.

open_basedir loose it interest with a parent folder?

Even when specifying open_base_dir in PHP, there is several commands that can bypass this if they are enabled (like system() )

You should make sure that your Apache (or other webserver) configuration also limits the user to a certain root.

The default open_basedir restrictions for shared Linux hosting accounts have no value. PHP scripts can access all directories within your hosting account.

If your apache config has:
php_admin_value open_basedir "/var/www/vhosts/httpdocs"
than this will override you php settings.

Please create a file to check phpinfo like this and verify what the setting is there:

<?php
phpinfo();
?>

What should my open_basedir path be set as?

DOCUMENT_ROOT should always be open_basedir.

Is your wp installed in this dir? If so, wp automatically read the right dir in multisite mode from that, so your open_base_dir should be your document_root

How can I relax PHP's open_basedir restriction?

You can also do this easily on a per-directory basis using the Apache (assuming this is your web server) configuration file (e.g. httpd.conf)

<Directory /var/www/vhosts/domain.tld/httpdocs>
php_admin_value open_basedir "/var/www/vhosts/domain.tld/httpdocs:/var/www/vhosts/domain.tld/zend"
</Directory>

you can also completely remove the restriction with

<Directory /var/www/vhosts/domain.tld/httpdocs>
php_admin_value open_basedir none
</Directory>

PHP: open_basedir allowed path

There is unfixed bug in PHP that is triggered when you open or check a path that have an existent file as prefix, and not existent part as suffix. In your example there is existent part /home/virtual/domain.com/public_html/galleries/img/002.JPG with not existent suffix / (trailing slash in path).

There is explanation that this is not a bug: “This is expected behaviour. A non path that doesn't exists (the one with the slash) is considered outside of the basedir.”, but I don't think so. This bug only triggers if first part of path is an existent file.

PHP bugs:

• "Bug #54419 :: is_dir() called on file with trailing slash to throw warning if open_basedir"
• "Bug #52065 :: Warning about open_basedir restriction while accessing a file as directory"

How can i write open_basedir like this - open_basedir = 'var/home/*/'

If you want to restrict PHP to each user's own home directory you need a PHP setup in which:

1. PHP runs with the user credentials
2. PHP accepts a per-user configuration

A typical case is a CGI (or FastCGI) setup, rather than running PHP as Apache module. Then you can provide a custom php.ini file for each user.

BTW, I haven't tested it but perhaps open_basedir = "~" works as expected...

====== EDIT ======

Some clarifications that arise from the OP's comment:

1. In Unix shells, "~" is a synonym for "current user's home directory" so it's "/var/home/john" if you are john and it's "/var/home/michael" if you are michael. "var/home/~/" has no special meaning: it's just a directory that's called ~.

2. Many programs use this shell convention. I don't know if PHP does so.

3. CGI allows to execute arbitrary programs on the server so it is less secure than static HTML the same way that a skateboard is less secure than a space shuttle. But we are not talking about executing arbitrary programs: we are talking about executing the PHP interpreter. It'll be as as secure as PHP and your environment are.

4. If you are interested in the subject, Google for FastCGI (a CGI implementation with enhanced performance). Many hosting providers use it.

open_basedir restriction in effect, but the directory *is specified* in php.ini

You're going to run into a lot of permission issues trying to use PHP and C:\Program Files (x86). Both the 32-bit and 64-bit Program Files directories in Windows are very picky when it comes to write permissions. If you move the directory outside of Program Files and right into the C:\ drive it should alleviate some problems. (i.e., C:\temp is usually easily accessible with PHP when doing file uploads, session storage, etc...).

---

Related Topics