Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:105632
Return-Path: <smalyshev@gmail.com>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 93951 invoked from network); 7 May 2019 22:01:16 -0000
Received: from unknown (HELO mail-pf1-f196.google.com) (209.85.210.196)
  by pb1.pair.com with SMTP; 7 May 2019 22:01:16 -0000
Received: by mail-pf1-f196.google.com with SMTP id y13so9123714pfm.11
        for <internals@lists.php.net>; Tue, 07 May 2019 12:05:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=subject:to:references:from:openpgp:autocrypt:message-id:date
         :user-agent:mime-version:in-reply-to:content-language
         :content-transfer-encoding;
        bh=nonT5xcI0BkPMx+8Uzh3x0vPaMhMhzjJxVqZ+PVkNFg=;
        b=qtu35mLyrTYLzFO4ZzkY+HotJg8qxEQJfJUHcshEeIYbRdU8SQrOs7eTdIxWyhNRmJ
         p5VzoW3C7BIj2bv0oz4jZIbyRBoPfG93KM3Be4Phx7eKIOTyDX6+9JRdiZrNSUXS5oiX
         DuH+C3dIQt/iray0WY4Fvj8r+xG2M9Ra4bdsbI55vj/phNRbrfWIl10la0EH5cfSeSOy
         C1JRfqi99XX2PlbzNZLJrlIq4SfDtiVihMGkhAo+2so8vlpFw8nmaocE3P+a4cZ9D7v6
         On1RCSD/PDPEWXZeo1UVkhH7vuUagGhxvlgKo2n11W92/M3rAPxIxRkWzcUd5yfAy+t4
         WW0w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:subject:to:references:from:openpgp:autocrypt
         :message-id:date:user-agent:mime-version:in-reply-to
         :content-language:content-transfer-encoding;
        bh=nonT5xcI0BkPMx+8Uzh3x0vPaMhMhzjJxVqZ+PVkNFg=;
        b=kLeTJow5sAGdHHGVWqp3X2r++9Kxpgfst/ejBYR+7ZnzTF9Ctqtt3Xi1Lz7z3Q2f+T
         EMbeTJ0B573KpZu7NaIGtchKCBcpHXoF1PPHc+6ZpdYS/FW5wFLAexB5drqVM1w04ft5
         aWJi/kcb7ehuxvGCWJzrdTyk1e0jj5xZEJkm5SH9G0KmqIcpCc1kBZ39pkdKcnPCJXFI
         B7ik0x6FCWnJ8fz7hS6Wp9K0ocozGI4vSPb/jXfOw+jG43nXdG8AI1mfHXp8HO1Uep+3
         ZOQNPYKAAMfizYW4klTUugpQlr5iVw3+xqf/YKJMpiZtOBE2XvFW+YkQdbxmDkmPWH6I
         HiAw==
X-Gm-Message-State: APjAAAWukzJl+3jha0sKL1TyxmOCu9ati+pls7dpBmZ7yCAnmjCxZZkc
	kQZRGTsPc67yft4CnGry5g9zIXOKog==
X-Google-Smtp-Source: APXvYqzxTwjBAQNpWTSFhn8jkeT05JeA/beXfENZ0U7e1A+wT0/l1WKelYByT47n+idsVxOn7Jb7IA==
X-Received: by 2002:a62:ed10:: with SMTP id u16mr42724250pfh.187.1557255911551;
        Tue, 07 May 2019 12:05:11 -0700 (PDT)
Received: from Stas-Pro-2016.local (c-24-4-176-254.hsd1.ca.comcast.net. [24.4.176.254])
        by smtp.gmail.com with ESMTPSA id n15sm31656923pfb.111.2019.05.07.12.05.10
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Tue, 07 May 2019 12:05:10 -0700 (PDT)
To: Nikita Popov <nikita.ppv@gmail.com>,
 PHP internals <internals@lists.php.net>
References: <CAF+90c-4-R4SYY_AAL679ZYBn2QAZTYAGXH6E6Bz1hYGN=MFcA@mail.gmail.com>
Openpgp: preference=signencrypt
Autocrypt: addr=smalyshev@gmail.com; prefer-encrypt=mutual; keydata=
 mQMuBE9mqaARCACFSqcGmNunkjQQu3X+yXnTmFeEkvM4JXZTOBdR8aEevNGmmFEfyvjaDjWi
 9hcwp4E/lYtC+P7VsVjM1OSX9eq0jC/lGL0ZyRXek+mNy0n5H1NSuTpf9Y18LMqhc4G+RU+L
 cNiZ9K0DJuOOvNLPxW7OHZguxb3wdKPXNVa2jyRfJAKm2uaJJMT1mTmFT9a0Q8SKr+mUrrJk
 uG0H2o6SzrKt8Wwoint1eh67zVsJaJtQFchnEZnlawIcqP2yC4nLGR3MkubowxoEBYCZet18
 aHVVRbvpG2Qtob8Lu5xrsGbmXymTkHTdpvkfcJFADa8MzOL90zOxXwbGfbIZOlh5En8jAQCX
 lfnx2eQL3BSW/6XANa51dbWiEp1d1BAkpGKtZvlk0Qf+M9WAi+9aXMe3xP5krxtgnRNUf2WN
 6Zdy2MxL1RRJCFbytLhl0ronC49BsGYVGshdEH8xhBbiIOJKuVZ/DTl9bEm7P9c7CC7iJyVC
 khUAhouH6xzZQNLR+RU+QebYzXypVfl99Qk7EdMmr/WAZCHLuvanyqepC5EBsa3VnAfQemSN
 oBeGBKWWLiOsPjvS72+y1z4RUMAfXHn4l/sFMt8zt7/74AmJPwZquV41p4mPO12V4+xPyc6R
 sB84sfsk2QVivU8w8AkvGQeYjXoz7Iwao95+fWteVzZ36KRQvUckP8pGjHlDXnHxJ0HI1I/k
 OBZSjwRwUf0dd73y6erPhbLk+gf+NdI3H9KGJBzG5/rVyWKwUeQ9d5ud4jTJRkQGvAP5pg76
 vEa9dogbpe4W5Z+0BfbiJSnQmQWSHiZddj/t33ptbup44Ck6ZTgdlmFYMLF1hR47PIZTDKER
 EuKYGci/vq8snZvEJP9YCw/TtiHcMdrMKcY/+Lp8lQO0GHLPB9glVhnC0db6l1Xpg1CMI8/R
 ozBMcij30EgATggC/y2zbiqAFoS9FN9nXPbe4phStqABEyeZ+nXudt7PUYTjVgcrqo8bHZCi
 sBobWC7OnKyUzxVxzUeuPkIfmZuzkLaMw2McQdvwwsNvQ0DzaLP30c1Xsm/7EIYJcOWpzlVJ
 5QrdmE0/BbQyU3RhbmlzbGF2IE1hbHlzaGV2IChQSFAga2V5KSA8c21hbHlzaGV2QGdtYWls
 LmNvbT6IegQTEQgAIgUCT2aqtAIbAwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQL3lW
 vF2gS12XMwD9HuRIolSwIK77u8EY461y2u6sbX36n5/uo/LDQuxoi3sA/0MvpnvzOhv9Iufv
 vsZEj3E7i3h+iD5648YMwfTFCij+uQINBE9mqaAQCADfZPMpjZkkGZj3BY/7ApoLq4mwqzbh
 +CpLXwNn20tFNvSXfb8RdeXvVEb7Scx+W9qYpiaun2iXJgCVH8fgpZpR856ulT1q6uCG++CX
 ubEvip/eJkZl93/84h04KQJwsgOrAh0Om3OePRn8Pr+++0LNS0EL8uX/YHeTOGOnnmTqYTey
 SBVFdov6L4mepddfjekicKQqhL7mZh/xuq29JijT0uNNX8v4vDWQDu5dlAcdd+uB3gcXMD/P
 ginD11zp+6wtrWCm/+yBqpvDwXQX5PGUnwvbRfl7Ay3MmwmoXiecZMg0dwTSc7e0lhB4HGRH
 ZdBMJB4rHUVGdzqujK/ctOvrAAMFB/0Utb76Qe6sCMlHxVAmeE/fbo7Pi05btZ/x01r67dHf
 aMSP0riCKJ7M0OW+jAXtu9+z/BVnYisW67WWfxl2cS5tZDgiHgJARXWUOO72+sScHP8KQmTl
 1z16gyKbwY3SmyBkwcpOL35nhUWNLy93syPoY6sZUTikr2bZYukHDQ33XBPs4e6MbWKfsa9q
 aVmnlOF3k5UqChjutfHaEa4Q7VP4wBIpphHBi9MI16oJIzzBPbGl2uoedjwiZ6QeQZnSuOVY
 ZxU2d3lRA8PrtfFN1VSlpEm/VcAvtieHUYWHN0wOu+cp3Slr5XJVNjTjJhl28SlinMME54mK
 AGf2Ldr/dRwXiGEEGBEIAAkFAk9mqaACGwwACgkQL3lWvF2gS126EQD/VVd3FgjLKglClRQP
 zdfU847tqDK4zJjbmRv5vLLwoE0A+wbrQs7jVGU3NrS0AIl5vUmewpp2BKzSkepy23nWmejw
Message-ID: <5ac2a666-61e3-877b-6c4d-6b4b78996c91@gmail.com>
Date: Tue, 7 May 2019 12:05:10 -0700
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:60.0)
 Gecko/20100101 Thunderbird/60.6.1
MIME-Version: 1.0
In-Reply-To: <CAF+90c-4-R4SYY_AAL679ZYBn2QAZTYAGXH6E6Bz1hYGN=MFcA@mail.gmail.com>
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] open_basedir?
From: smalyshev@gmail.com (Stanislav Malyshev)

Hi!

> b) update the security policy (https://wiki.php.net/security) to state that
> open_basedir bypasses are not security issues. I believe this has been part
> of Debian's security policy for some time already.

I think we've been treating them this way effectively for a while now.

The big question is how we formulate what open_basedir actually *is*. I
mean, some people find it rather useful, and in some situation such
mechanism can be very valuable - one scenario I can think of it turning
on open_basedir, run through application test suite and check that it
doesn't reach anywhere it should not. It, of course, does not provide
security guarantees, neither do unit tests, but we still find unit tests
useful, and in the same vein people may find open_basedir useful.

So before just swinging the ax and dropping it I think we should really
research what people are actually using open_basedir for. And then try
to formulate a proper description of what it can be used for without
claiming any security guarantees we could not deliver.

In general, I think we should slow down a bit (actually, a lot) with
removing things from PHP. We've already accumulated a lot of BC baggage
here, and if we want PHP 8 to become the version of PHP that an average
developer can target without hearing "yeah, we're planning to upgrade
sometimes in the next 2-3 years, probably, maybe", then we should slow
down with the removals.

PHP 7 had rather short list of removing things, and most of them very
marginally used. And that IMHO worked well. Here we're talking about
things that are used - on my estimation - much more widely. open_basedir
particularly is not that bad in this regard, because likely no app
critically depends on it being there - so it's more of a generic comment
about what I am seeing on the lists nowdays, where tons of removals and
global overhauls with enormous BC costs are proposed.
-- 
Stas Malyshev
smalyshev@gmail.com