Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:105673
Return-Path: <me@kelunik.com>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 84680 invoked from network); 11 May 2019 10:48:53 -0000
Received: from unknown (HELO mo4-p00-ob.smtp.rzone.de) (81.169.146.220)
  by pb1.pair.com with SMTP; 11 May 2019 10:48:53 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1557561223;
	s=strato-dkim-0002; d=kelunik.com;
	h=Cc:To:Subject:Message-ID:Date:From:In-Reply-To:References:
	X-RZG-CLASS-ID:X-RZG-AUTH:From:Subject:Sender;
	bh=95dYadiDF/KrDtbH+R44bIhD+LoAnF8QWlZpg1kohGA=;
	b=OQm4rx0UxDsfQFCTvcCCvKIZ9NhpqVmz+40VrCQ1ZxrnF1DgrRC+iVYXEtrozCIVQ/
	ynHZRnSbJ2nIGXVLAnOdF84j2O2GyjGRf3YX0MeOlaOaqoTr+vFzqvXGmLIkeuTYY9rk
	efMTBZoMQc13hvA2TyINl0WdCWd0sW+mMBoVzlx9UnsQPIMtsAbW6/qkHakNGYcpb0hx
	jV4ZBz7MS6Yu5Bh+V502dHxVJs59sjtN2vucBHKYBAfusy2orG/CVoDtLT+q4ZjRC1qI
	s/6yYcLx75mGkgYD/K4s8EImcIgPITATRa0RCfZj33EBj5aRTFbyrk6kUBW6nEzauUlw
	On9w==
X-RZG-AUTH: ":IWkkfkWkbvHsXQGmRYmUo9mlsGbEv0XHBzMIJSS+jKTzde5mDb8AaBYcZi8ucA=="
X-RZG-CLASS-ID: mo00
Received: from mail-pf1-f182.google.com
	by smtp.strato.de (RZmta 44.18 AUTH)
	with ESMTPSA id D06319v4B7rhLbV
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (curve secp384r1 with 384 ECDH bits, eq. 7680 bits RSA))
	(Client did not present a certificate)
	for <internals@lists.php.net>;
	Sat, 11 May 2019 09:53:43 +0200 (CEST)
Received: by mail-pf1-f182.google.com with SMTP id 10so4440597pfo.5
        for <internals@lists.php.net>; Sat, 11 May 2019 00:53:43 -0700 (PDT)
X-Gm-Message-State: APjAAAWIHgOju7xEZHhjbCcAF07cnzPlE2bvmcgPBK82UxrYEU+Q/DIB
	VawtZr6Ps/O8Ew4/qpUfFjwPGz8u8ZC4iTh50Ew=
X-Google-Smtp-Source: APXvYqyz0EU5RVh5fNCEHbr8qYgs8IHHXCSlT9kRD9wYolim1UD+7L7uN/GiJ/jOY1DJXA5eD2eDgIzJ8C49g5TX0OY=
X-Received: by 2002:a65:5106:: with SMTP id f6mr19117781pgq.253.1557561222128;
 Sat, 11 May 2019 00:53:42 -0700 (PDT)
MIME-Version: 1.0
References: <CAF+90c-4-R4SYY_AAL679ZYBn2QAZTYAGXH6E6Bz1hYGN=MFcA@mail.gmail.com>
 <ea139574152ce7376946c8e2d45051df@bohwaz.net> <CANUQDCjV3ke8jFmeBEXOzEi5HLQiYwWmC2UUaoOP+t0JGRtg9Q@mail.gmail.com>
 <20190511021217.1aaac8f5@platypus>
In-Reply-To: <20190511021217.1aaac8f5@platypus>
Date: Sat, 11 May 2019 09:53:31 +0200
X-Gmail-Original-Message-ID: <CANUQDChJJhhnqkDjmK792U63BViZY3aRpyzKtJjQffBggPmo6w@mail.gmail.com>
Message-ID: <CANUQDChJJhhnqkDjmK792U63BViZY3aRpyzKtJjQffBggPmo6w@mail.gmail.com>
To: BohwaZ <php@bohwaz.net>
Cc: PHP Internals <internals@lists.php.net>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Subject: Re: [PHP-DEV] open_basedir?
From: me@kelunik.com (Niklas Keller)

> > That's exactly the reason why I'm for removing it. There will always
> > be ways to circumvent open_basedir and setups like this are insecure.
> > It gives a false sense of security. It's not better than nothing,
> > because most hosting providers would opt for a real solution instead
> > of leaving users entirely unprotected.
>
> What's your solution then? I'll be more than happy to have anything
> better that will work with thousands of users :)

Solutions that work at the OS level have been suggested in this
thread. It's not my job figuring out a solution that works better for
your business at scale.

> Also I don't get the argument that because it isn't perfect it would
> not be useful. It definitely is, as a security measure.

Quoting https://www.php.net/security-note.php:

> For Local exploits we mostly hear about open_basedir or safemode problems=
 on shared virtual hosts. These two features are there as a convenience to =
system administrators and should in no way be thought of as a complete secu=
rity framework. With all the 3rd-party libraries you can hook into PHP and =
all the creative ways you can trick these libraries into accessing files, i=
t is impossible to guarantee security with these directives. The Oracle and=
 Curl extensions both have ways to go through the library and read a local =
file, for example. Short of modifying these 3rd-party libraries, which woul=
d be difficult for the closed-source Oracle library, there really isn't muc=
h PHP can do about this.

The exact issue is that it appears to be good enough, but it really isn't.

> chroot isn't perfect either, but you might want to use it as well.
>
> Same for disable_functions, sure there will be ways to go around it,
> but it will still block 90% of attacks we might get. So, definitely not
> the most reliable thing, but it adds a layer that may help.
>
> I can pick the lock on my front door in about 10 minutes, a
> professional probably much less. And you can enter by breaking a window.
> But it is still effective as a security measure. And it would be silly
> if someone would come and tell me that the lock should be removed
> because it gives a false sense of security :)

My hope is that if we remove the feature, hosting providers will opt
for a proper door instead of one made from paper.

Regards, Niklas