Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:105609 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 27571 invoked from network); 7 May 2019 13:32:19 -0000 Received: from unknown (HELO tbjjbihbhebb.turbo-smtp.net) (199.187.174.11) by pb1.pair.com with SMTP; 7 May 2019 13:32:19 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=php.net; s=turbo-smtp; x=1557830171; h=DomainKey-Signature:Received: Received:MIME-Version:References:In-Reply-To:From:Date: Message-ID:Subject:To:Cc:Content-Type; bh=vp9YcGpqidH47vctN/QJdz VpiyLrqDDSq4IOMBFtEH0=; b=n1nF0jhTbmBSH9lQxoYdzCtjbF9NwXUIDXj+56 VEFg2+o2vEQFQxNAkOrd3bIvXsIHKKMN7rno8vKefZR5ynQAzYL2FG4MUk+LZgN4 t5QZ7S7lfElVCjJYvZrxqTu+TPch3X8AeJJ2O74nXIQrubyukMU5PgbBxk3GTLak fpi8Q= DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=turbo-smtp; d=php.net; h=Received:Received:X-TurboSMTP-Tracking:X-Gm-Message-State:X-Google-Smtp-Source:X-Received:MIME-Version:References:In-Reply-To:From:Date:X-Gmail-Original-Message-Id:Message-ID:Subject:To:Cc:Content-Type; b=kcFDlRLatmeZ1We1+36fa8xTucOj+hoRE7Rpp9Hpx9eB8ItecUlF2tkJ27O8x4 2E9kdOH5cJ0Hq2GCFRGNWNwSx1efxtqLb3QeEcS0uZmvD/ixaKXQ27QU59M01f+p KsvY2sAAD7tMnwQgQv0F4K7RF59y0mh/i9KZJd6VQHBMs=; Received: (qmail 7788 invoked from network); 7 May 2019 10:36:10 -0000 Received: X-TurboSMTP-Tracking: 5014909773 X-Gm-Message-State: APjAAAW8ISr+Zxue8KgTLzNG68SLBu2G3EGekXp05h7QU7ACnrstV8op TY1jcvhRdEFC/+cV7RoMcPf1hVSyLmwsL+qRJE0= X-Google-Smtp-Source: APXvYqx6AHKIeouNCViSLJNs2JenRuDdL+Rtn2EM3zOHQvD1J6DcFlUt8o/ER/MfCUIAmxJog4oDaEg+HeQgEcDJBEQ= X-Received: by 2002:a05:620a:124b:: with SMTP id a11mr15392019qkl.128.1557225370253; Tue, 07 May 2019 03:36:10 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: Date: Tue, 7 May 2019 13:35:58 +0300 X-Gmail-Original-Message-Id: Message-ID: To: Nikita Popov Cc: PHP internals Content-Type: multipart/alternative; boundary="00000000000007811e058849c9e8" Subject: Re: [PHP-DEV] open_basedir? From: zeev@php.net (Zeev Suraski) --00000000000007811e058849c9e8 Content-Type: text/plain; charset="UTF-8" On Tue, May 7, 2019 at 1:11 PM Nikita Popov wrote: > Hi internals, > > The open_basedir ini setting has two significant problems: > > 1. It is a major performance hit, because it disables the realpath cache. > That's true, but only if it's in use. That's kind of fair... > 2. Many people think it is a security feature and use it as such. However, > open_basedir is in reality a "best effort" mechanism, with known > workarounds and more regularly being found. Especially when it comes to > interactions with 3rd party libraries, enforcing open_basedir is simply > impossible. > Agreed 100%. > What open_basedir tries to do must be implemented on the operating system > level to work reliably (and of course such mechanisms exist, such as jails, > chroot and friends). > Ditto > I wonder if it is feasible to drop this ini setting? Enforcing this doesn't > really seem like any of PHP's business. It's definitely feasible, although personally, I think the right way to go here is more around docs and policy. It's not completely without value, and I believe I've seen it being used in a lot of different places (most of them realizing the fact it's a 'best effort' feature and not a bulletproof one). I wouldn't introduce it today, but I don't see the compelling case the remove it. If not, I think we need to at least > > a) make it clear in the documentation that this is *not* a security option > and only exists to prevent "accidents" and > I'm not sure I'd phrase it that way exactly, but generally I very much agree. I think we should say it's just an extra safety net, that is in no way comprehensive and can therefore not be relied upon when security is needed. b) update the security policy (https://wiki.php.net/security) to state that > open_basedir bypasses are not security issues. I believe this has been part > of Debian's security policy for some time already. Agreed 100%. Zeev --00000000000007811e058849c9e8--