open_basedir not having any effect

Question

For my web hosting panel, users need to be blocked from accessing files outside their own directory (/var/www/u/s/username). I tried to use this line in httpd.conf to prevent people from going up a directory.

<Directory /var/www/users/>
php_admin_value open_basedir .:/usr/lib/php5
</Directory>

But in php.ini, it seems to have no effect. What am I doing wrong?

Answer 1

You may need to add a line for each user Directory:

<Directory /var/www/u/s/username>
php_admin_value open_basedir "/var/www/u/s/username/:/shared/path/"
</Directory>

Note that the trailing slash is here to prevent user "username" from accessing a "username2" directory.

Answer 2

It might be a silly suggestion, but have you restarted the webserver after making the php.ini changes?

Another method you might try using is to append a file using the "auto_prepend_file" directive to include a script to tighten up the open_basedir directive to the current users directory:

From PHP.net (http://www.php.net/manual/en/ini.sect.safe-mode.php)

As of PHP 5.3.0 open_basedir can be tightened at run-time. This means that if open_basedir is set to /www/ in php.ini a script can tighten the configuration to /www/tmp/ at run-time with ini_set()

ADDITIONAL SUGGESTION:

The Apache configuration will need to be set up properly for INI overrides to be effective. Ensure that you have "AllowOverride Options" or "AllowOverride All" set in the Apache config for your Server or Virtual Host.

https://www.php.net/configuration.changes

http://httpd.apache.org/docs/2.0/mod/core.html#allowoverride

Answer 3

Most probably you're modifying the wrong "php.ini".

Answer 4

1. As far as I can tell, it's not in path format it has to be just one directory;
2. Using "." with open_basedir makes no sense at all, "." is allways the current directory. You can chdir('/wherever/you/want'), having "." expanded as /wherever/you/want