Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:105608 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 23846 invoked from network); 7 May 2019 13:21:40 -0000 Received: from unknown (HELO mail-it1-f178.google.com) (209.85.166.178) by pb1.pair.com with SMTP; 7 May 2019 13:21:40 -0000 Received: by mail-it1-f178.google.com with SMTP id q65so24029796itg.2 for ; Tue, 07 May 2019 03:25:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=P1kSbJyCUxCerQwpp2hN+jacRs3f2/UbwVeGNOllVAY=; b=ZnYh5Khu8UM4menyQpjgu861d/G0xv5llpYXShgT/hZLCv+utZtPDoWtPeOsCY7F84 BtWY9kisNmrVqLHylkKNgQrkL5IhU39T92+oENq8f+Mxg+Y0Dprt7DFkt+zHPKo4A0Ap UWGO9YSzz5Qx0G1LFxuWAMMzyACR3ZjTULsHGhhAnsih6r2G3MVaa44zhwVfO6GWHoq8 gthlq+3PNsb1230RvY5rp6s+vmAJiX/ZDye+OTcpdfXVs/BGuxkK4573SZi0Rm//Dchj ttjxr3c81KcqGLHWoepvrbXCDKvedxp88Lb6Elgj/JgiQkVpQZxzBuie+iSP28FCHYh0 ovnQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=P1kSbJyCUxCerQwpp2hN+jacRs3f2/UbwVeGNOllVAY=; b=R+ORfLtnJ2VfnfKcIkLL6ZOO6/THyfB+I4bAZq9+WKUlj50KkFcusxfwjlDMmsm/F+ OPveh4fukAAL6xhEWX+5O5N/l1fzP2PJHXW3/LRxCG2ALmka82svpbcDkkOkEIT0FsmG SadMyLrWCUyvpd9z7H4WfU07THrTfXbZmaTrPXKSwLXJkxN7zpHfwzP9avIMbYHlBvXr Ry4QPmYfzdmFecJBQbemK7mygMHwPKikD6+WR+7BeWMNs+cnxkxcvkmcmUdZ9ylmIAXM V107VSEkG4DgAsiB8NF5+P/fLM232Capbr8+QXDRQxzBPcil0PwfKGChJOdMcrJTuY9d lnhA== X-Gm-Message-State: APjAAAVki1XgN9mrvX+zvsNUozZ22kdxzeILo1Q5UPhJ25ax5QThT0V1 NiBwonalwplOw7ueJ3UZ7zHPH+pOZa0gw+2jBf8= X-Google-Smtp-Source: APXvYqyst1/nmcQxEwUiICpdJ9znoC0FH+YyS9/9z2BlCaMzflKE2TEN5WAIsOOQJl1TBuZ4mpuN5ewiv8VNeEBpqJk= X-Received: by 2002:a02:a48d:: with SMTP id d13mr1133219jam.101.1557224731918; Tue, 07 May 2019 03:25:31 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: Date: Tue, 7 May 2019 12:25:21 +0200 Message-ID: To: Joe Watkins Cc: Nikita Popov , PHP internals Content-Type: multipart/alternative; boundary="000000000000fb45bf058849a264" Subject: Re: [PHP-DEV] open_basedir? From: gertp93@gmail.com (Gert) --000000000000fb45bf058849a264 Content-Type: text/plain; charset="UTF-8" Hello, If the plan is to remove it in 8.0, then i'd say its beneficial to already deprecate it in 7.4. This will give users an earlier warning that these upgrades need to happen. Cheers On Tue, 7 May 2019 at 12:18, Joe Watkins wrote: > Morning Nikita, > > It would be wise to do a) and b) regardless of whether it's going to be > removed. > > I think +1 on removing it in 8 ... I'm not sure if it should be deprecated > in 7.4 first, or how that would work ? > > Cheers > Joe > > On Tue, 7 May 2019 at 12:11, Nikita Popov wrote: > > > Hi internals, > > > > The open_basedir ini setting has two significant problems: > > > > 1. It is a major performance hit, because it disables the realpath cache. > > > > 2. Many people think it is a security feature and use it as such. > However, > > open_basedir is in reality a "best effort" mechanism, with known > > workarounds and more regularly being found. Especially when it comes to > > interactions with 3rd party libraries, enforcing open_basedir is simply > > impossible. > > > > What open_basedir tries to do must be implemented on the operating system > > level to work reliably (and of course such mechanisms exist, such as > jails, > > chroot and friends). > > > > I wonder if it is feasible to drop this ini setting? Enforcing this > doesn't > > really seem like any of PHP's business. If not, I think we need to at > least > > > > a) make it clear in the documentation that this is *not* a security > option > > and only exists to prevent "accidents" and > > b) update the security policy (https://wiki.php.net/security) to state > > that > > open_basedir bypasses are not security issues. I believe this has been > part > > of Debian's security policy for some time already. > > > > Regards, > > Nikita > > > --000000000000fb45bf058849a264--