Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:105638
Return-Path: <nikita.ppv@gmail.com>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 88648 invoked from network); 8 May 2019 10:19:36 -0000
Received: from unknown (HELO mail-lj1-f194.google.com) (209.85.208.194)
  by pb1.pair.com with SMTP; 8 May 2019 10:19:36 -0000
Received: by mail-lj1-f194.google.com with SMTP id z1so4333453ljb.3
        for <internals@lists.php.net>; Wed, 08 May 2019 00:23:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=4kEmPPQCuLTB8zBkst4VSBnyyj95qkR/IcOWKMbAyoY=;
        b=vTC2VE4LVJ8IMg3aFit24oA/C9TdWu+L2cMcgQuG5taCEDw6rKb6KXfMeqRjpgJYIF
         z0Il8WT7W5W0Ob1/YT6ue1wA3cSCPr3oflUNg2YLJKzpHGp+xJDBFRhHzaCeUnjY+2Km
         0El010pwOheURXMq3EAmAvW6sOKLVZyW2SQUBll6OYmNklmgedJMiQV0BBaT5JUPIVki
         QPbNNtpFNUdK2GUAaxSHajPi9Z+VH+U+WDcXpcm/JLJuUaTj9YlE1tQKjTnRodIK6VTx
         BOn8h/0hpvlA4F9WBBlzUNywfUp56uPSjk56vewsr7ey8hRF5tUrhtz0zXmmwtsv7RCx
         vPyQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=4kEmPPQCuLTB8zBkst4VSBnyyj95qkR/IcOWKMbAyoY=;
        b=FQQKk5gRSurqgQalY/OY++hn7b3zakQKx4nkVOkADUwMlprVAkSqynWIaII1kzRSJA
         2xDQULAtGYkkuz7+McN2A019nCcFflF3qLjen02MPa/1+GUP8Vk0htKkYVjTWKH+S9sq
         LHjRcbrvYeZH5yu2l9IVS+0tf+JWvEJ0qG909p5TG8UauMtvXrSDpVBnQxkX23Lu9xvy
         U8YG0vanBpev+m7j6+LBm6quKu9KIxVaYeICB/znGAvZr5jyZgrLU+1JFPDxp9G9uJVB
         AA7q17aY9ce4GesFkNF6eXUzY0qmhkqYyH9alS5/JXtrGYU1koeF+6Lnm2UQdX/FToRo
         lNow==
X-Gm-Message-State: APjAAAXmQiCOMf6xWaZU7OJVX3Po1AXxmDP+l5+NDyJ5fUpuFFkMfkWR
	TEvrFIB2UZNccjr7dI1688SQpSt6ZInha3/2+98=
X-Google-Smtp-Source: APXvYqyYp0VSRo68v3tz4oxn+T/uWhVIvRAFVJgP1sfvfp+gsAx6d04zalZ72buSbuDZ5e3hkPzeEBk3c1QwsC8Ftqc=
X-Received: by 2002:a2e:5517:: with SMTP id j23mr4082143ljb.5.1557300221129;
 Wed, 08 May 2019 00:23:41 -0700 (PDT)
MIME-Version: 1.0
References: <CAF+90c-4-R4SYY_AAL679ZYBn2QAZTYAGXH6E6Bz1hYGN=MFcA@mail.gmail.com>
 <5ac2a666-61e3-877b-6c4d-6b4b78996c91@gmail.com>
In-Reply-To: <5ac2a666-61e3-877b-6c4d-6b4b78996c91@gmail.com>
Date: Wed, 8 May 2019 09:23:24 +0200
Message-ID: <CAF+90c8_MRQ=FvtKtNb89AvHX=oaG4B8D118_Trx+108gvdmCA@mail.gmail.com>
To: Stanislav Malyshev <smalyshev@gmail.com>
Cc: PHP internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary="0000000000007d39f205885b3690"
Subject: Re: [PHP-DEV] open_basedir?
From: nikita.ppv@gmail.com (Nikita Popov)

--0000000000007d39f205885b3690
Content-Type: text/plain; charset="UTF-8"

On Tue, May 7, 2019 at 9:05 PM Stanislav Malyshev <smalyshev@gmail.com>
wrote:

> Hi!
>
> > b) update the security policy (https://wiki.php.net/security) to state
> that
> > open_basedir bypasses are not security issues. I believe this has been
> part
> > of Debian's security policy for some time already.
>
> I think we've been treating them this way effectively for a while now.
>
> The big question is how we formulate what open_basedir actually *is*. I
> mean, some people find it rather useful, and in some situation such
> mechanism can be very valuable - one scenario I can think of it turning
> on open_basedir, run through application test suite and check that it
> doesn't reach anywhere it should not. It, of course, does not provide
> security guarantees, neither do unit tests, but we still find unit tests
> useful, and in the same vein people may find open_basedir useful.
>
> So before just swinging the ax and dropping it I think we should really
> research what people are actually using open_basedir for. And then try
> to formulate a proper description of what it can be used for without
> claiming any security guarantees we could not deliver.
>

Right. One practical question that would interest me in particular is if we
can drop the implicit disabling of the realpath cache if open_basedir is
enabled. It makes open_basedir trivially bypassable, but still requiring
some specially crafted code -- not something that just happens by accident.
If we see open_basedir as a non-security feature for detecting code that
accidentally tries to access things it shouldn't, that should be fine. But
I'm not quite sure if that's the right interpretation.

I don't really care myself whether open_basedir exists or not, I mainly
want users (and ourselves as well) to understand what the intended usage
and limitations are.

Regards,
Nikita

--0000000000007d39f205885b3690--