Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:105667
Return-Path: <me@kelunik.com>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 23231 invoked from network); 10 May 2019 23:51:20 -0000
Received: from unknown (HELO mo4-p00-ob.smtp.rzone.de) (85.215.255.24)
  by pb1.pair.com with SMTP; 10 May 2019 23:51:20 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1557521763;
	s=strato-dkim-0002; d=kelunik.com;
	h=Cc:To:Subject:Message-ID:Date:From:In-Reply-To:References:
	X-RZG-CLASS-ID:X-RZG-AUTH:From:Subject:Sender;
	bh=WGZYN1En4x1NbqqJ9ZCk4FKazVcnvAB6jdCxQJnizQE=;
	b=Cl86/XKYeEyHHJxjCsSfpGTS3TlpHZJkmJ4AarOsAexea4yK60cKU3gf5Cbz2MWSBV
	0J2iSxCZcfcIZM0p+exTTc8OcD/hfI8M6ivnwym/f+69W/46YVDIX1bKMt6b4wyt7EIO
	ORrAnQHf0ityVg2Jv43f+nDcjwPnJrVCP+WewP+jl9aHya4Q+EJuXMzX/o4dh+HuIEiB
	u8/QDWNgen3GD4GeyQZJ29bWkbxErMmFwgsEt/rXrFG0s3IsCdwJU/E/2q2Y3UoIINrF
	apmR0Np90nnQbvmRzLXWyTYurVU0NjN/um8BSOdH7XbKp0hClChdnpfd54WAyhjPPl5Z
	5HHA==
X-RZG-AUTH: ":IWkkfkWkbvHsXQGmRYmUo9mlsGbEv0XHBzMIJSS+jKTzde5mDb8AaBYcZiAqcA=="
X-RZG-CLASS-ID: mo00
Received: from mail-pf1-f176.google.com
	by smtp.strato.de (RZmta 44.18 AUTH)
	with ESMTPSA id D06319v4AKu3KCF
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (curve secp384r1 with 384 ECDH bits, eq. 7680 bits RSA))
	(Client did not present a certificate)
	for <internals@lists.php.net>;
	Fri, 10 May 2019 22:56:03 +0200 (CEST)
Received: by mail-pf1-f176.google.com with SMTP id t87so3841045pfa.2
        for <internals@lists.php.net>; Fri, 10 May 2019 13:56:03 -0700 (PDT)
X-Gm-Message-State: APjAAAW+pNgziURMOR0jHzdZx0zJZHsT+rTLTg8qQnd9WubqxCnnhFZk
	DgZq+vl6SbguKEhu71hAn62eUI4h5zx3OoIuwX4=
X-Google-Smtp-Source: APXvYqwZsdyTRq4IagOwUre8uSycvthyQpPSKFzMZM3K/W9UShZ9o//XteMXDTnltzt7B1zG51KJpg+CgRBBwvbNt+Y=
X-Received: by 2002:a63:441c:: with SMTP id r28mr16301588pga.255.1557521762455;
 Fri, 10 May 2019 13:56:02 -0700 (PDT)
MIME-Version: 1.0
References: <CAF+90c-4-R4SYY_AAL679ZYBn2QAZTYAGXH6E6Bz1hYGN=MFcA@mail.gmail.com>
 <ea139574152ce7376946c8e2d45051df@bohwaz.net>
In-Reply-To: <ea139574152ce7376946c8e2d45051df@bohwaz.net>
Date: Fri, 10 May 2019 22:55:51 +0200
X-Gmail-Original-Message-ID: <CANUQDCjV3ke8jFmeBEXOzEi5HLQiYwWmC2UUaoOP+t0JGRtg9Q@mail.gmail.com>
Message-ID: <CANUQDCjV3ke8jFmeBEXOzEi5HLQiYwWmC2UUaoOP+t0JGRtg9Q@mail.gmail.com>
To: "BohwaZ/PHP" <php@bohwaz.net>
Cc: PHP Internals <internals@lists.php.net>
Content-Type: text/plain; charset="UTF-8"
Subject: Re: [PHP-DEV] open_basedir?
From: me@kelunik.com (Niklas Keller)

> I'm against deprecating it or removing it.
>
> As said earlier, it has some security value, especially with mass
> hosting. If I'm hosting thousands of websites for thousands of users,
> using chroot is not doable, and open_basedir is a good alternative (at
> least it's better than nothing).
>
> That's why it's used by ISPconfig and other panels: there is no other
> solution that I know of.

That's exactly the reason why I'm for removing it. There will always
be ways to circumvent open_basedir and setups like this are insecure.
It gives a false sense of security. It's not better than nothing,
because most hosting providers would opt for a real solution instead
of leaving users entirely unprotected.

Regards, Niklas