PHP: open_basedir in php.ini to Restrict and Limit PHP File Accesses to a Certain Directory

The open_basedir directive in php.ini limits PHP file accesses (such as file opening, writing and deleting) within a designated directory such as /home/www/public_html so that it doesn’t endanger the rest of the system in any way. With proper Apache permissions and PHP installed as an Apache module, PHP inherits whatever privileges Apache has. As Apache is usually endowed with very limited permission in the form of a ‘nobody’ or ‘www-data’ group, there’s actually no need for open_basedir.

So it’s actually turned off by default. Controversies are raised about whether to use it or not. While it’s good to have extra confinement of what your public PHP scripts can access and do, it’d also make your applications reliable on it for file system security.

To modify the value of this directive and restrict php directory access, just find php.ini and locate the line:

;open_basedir = 

And change it to minimum directory access your PHP applications need such as the web documents root:

open_basedir = '/home/www/public_html'

4 comments

  1. dhanesh mane

    Hey,

    I want to use pear system.php in my php file.
    I also have /usr/share/PEAR in my include_path, but when I include that file in my code it giving me fatal error that file is not present.

    But files are there at proper location in pear package directory.

    And due to open_basedir restriction I cant include it. Now whats the solution?? can you help me.

    Thanks
    Dhanesh

  2. hron84

    @dhanesh mane:
    symlink PEAR package to virtualhost or documentroot, and include them from here.

  3. hron84

    Ehh, i would like write PEAR _folder_

  4. dhanesh mane

    @hron84, hey I was working around the symlink, but I was not able to find correct tutorial to symlink the pear with vertual host. if you have any kind of tutorial or details which can help me to symlink the pear with irtual host please let me know.

    Thanks a lot.
    Dhanesh