Restrict access to parent directories in PHP

Question

I have seen from other questions that I can set open_basedir to restrict access to parent folders. However, I decided to do a bit of experimenting to find out what I could do.

First test was to see if I could manually set open_basedir using the ini_set function. Thankfully, it appears that this function can set a more restrictive basedir, but it cannot be used to lessen the restriction. That's all good.

However my next test was somewhat disturbing:

ini_set("open_basedir","/path/to/desired/root/limited");
echo file_get_contents("/some/outsite/file.txt"); // error: basedir restriction
echo `cat /some/outside/file.txt`; // outputs the file

I can't seem to find any way to restrict shell access to stuff.

So I guess my real question is, what can I do to ensure that parent folders are safe? Clearly, open_basedir doesn't cut it.

sdanzig · Accepted Answer

open_basedir generally doesn't restrict backdoor access like that. There was a "safe_mode" in PHP which prevented such calls like system() and exec(). Full list here: http://www.php.net/manual/en/features.safe-mode.functions.php

But that's been deprecated as of PHP 5.3 because there are many ways around it.

You could use suPHP and chroot, as suggested by another StackOverflow answer: PHP safemode alternative

"A better approach is use suphp to run your application as a jailed user. This uses the security of the operating system to protect your application. You run your php code as an account that doesn't have access to a shell. You remove write privileges from everything owned by that user chmod 500 -R /. Or go a step further and run your application within a chroot."

Useful links:

Restrict access to parent directories in PHP

Answers (2)

Related Questions