PHP: open_basedir in php.ini to Restrict and Limit PHP File Accesses to a Certain Directory

by Yang Yang on June 1, 2009

The open_basedir directive in php.ini limits PHP file accesses (such as file opening, writing and deleting) within a designated directory such as /home/www/public_html so that it doesn’t endanger the rest of the system in any way. With proper Apache permissions and PHP installed as an Apache module, PHP inherits whatever privileges Apache has. As Apache is usually endowed with very limited permission in the form of a ‘nobody’ or ‘www-data’ group, there’s actually no need for open_basedir.

So it’s actually turned off by default. Controversies are raised about whether to use it or not. While it’s good to have extra confinement of what your public PHP scripts can access and do, it’d also make your applications reliable on it for file system security.

To modify the value of this directive and restrict php directory access, just find php.ini and locate the line:

;open_basedir = 

And change it to minimum directory access your PHP applications need such as the web documents root:

open_basedir = '/home/www/public_html'