Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:105676
Return-Path: <yohgaki@ohgaki.net>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 27847 invoked from network); 11 May 2019 13:51:07 -0000
Received: from unknown (HELO es-i.jp) (180.42.98.130)
  by pb1.pair.com with SMTP; 11 May 2019 13:51:07 -0000
Received: (qmail 68662 invoked by uid 89); 11 May 2019 10:55:58 -0000
Received: from unknown (HELO mail-oi1-f169.google.com) (yohgaki@ohgaki.net@209.85.167.169)
  by 0 with ESMTPA; 11 May 2019 10:55:58 -0000
Received: by mail-oi1-f169.google.com with SMTP id t187so2970966oie.10
        for <internals@lists.php.net>; Sat, 11 May 2019 03:55:57 -0700 (PDT)
X-Gm-Message-State: APjAAAUEDj8jOBrSW7CIUIb4kO3F08vk6577C94WJfVVhQgSD/fjVs2P
	s9EYAFhjk66wap971MLmeinJglCYVzIX4mQlLw==
X-Google-Smtp-Source: APXvYqw06YhzrzJWbM88TLe2RMRLoVw7ZXnd6OYge7ufujNd7TrKrj5Fy4pj8cr0vTkeerueIDdJIcdsCzme12Ficjc=
X-Received: by 2002:aca:4c9:: with SMTP id 192mr4725973oie.12.1557572151207;
 Sat, 11 May 2019 03:55:51 -0700 (PDT)
MIME-Version: 1.0
References: <CAF+90c-4-R4SYY_AAL679ZYBn2QAZTYAGXH6E6Bz1hYGN=MFcA@mail.gmail.com>
 <ea139574152ce7376946c8e2d45051df@bohwaz.net> <CANUQDCjV3ke8jFmeBEXOzEi5HLQiYwWmC2UUaoOP+t0JGRtg9Q@mail.gmail.com>
In-Reply-To: <CANUQDCjV3ke8jFmeBEXOzEi5HLQiYwWmC2UUaoOP+t0JGRtg9Q@mail.gmail.com>
Date: Sat, 11 May 2019 19:55:14 +0900
X-Gmail-Original-Message-ID: <CAGa2bXb4Duj_5M3tokyu=p_U394aCECXaKoZ9VCWfo7G16vUCA@mail.gmail.com>
Message-ID: <CAGa2bXb4Duj_5M3tokyu=p_U394aCECXaKoZ9VCWfo7G16vUCA@mail.gmail.com>
To: Niklas Keller <me@kelunik.com>
Cc: "BohwaZ/PHP" <php@bohwaz.net>, PHP Internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary="000000000000c8eeae05889a867f"
Subject: Re: [PHP-DEV] open_basedir?
From: yohgaki@ohgaki.net (Yasuo Ohgaki)

--000000000000c8eeae05889a867f
Content-Type: text/plain; charset="UTF-8"

On Sat, May 11, 2019 at 5:56 AM Niklas Keller <me@kelunik.com> wrote:

> > I'm against deprecating it or removing it.
> >
> > As said earlier, it has some security value, especially with mass
> > hosting. If I'm hosting thousands of websites for thousands of users,
> > using chroot is not doable, and open_basedir is a good alternative (at
> > least it's better than nothing).
> >
> > That's why it's used by ISPconfig and other panels: there is no other
> > solution that I know of.
>
> That's exactly the reason why I'm for removing it. There will always
> be ways to circumvent open_basedir and setups like this are insecure.
> It gives a false sense of security. It's not better than nothing,
> because most hosting providers would opt for a real solution instead
> of leaving users entirely unprotected.
>

Under VM setup, there is not much problem for linux.
However, docker (and/or cgroup based containers) has problem because
there is no namespace for selinux. Therefore, containers cannot have
workable selinux protection, as well as OSes that lacks selinux like
protections.

I don't care much about open_basedir.
However, I wonder how many container setups relay on open_basedir as
additional security.

Regards,

P.S. Anyone shouldn't rely on stack smashing attack protection, yet
it's still there for sail safe purpose. open_basedir is fail safe feature.

--
Yasuo Ohgaki
yohgaki@ohgaki.net

--000000000000c8eeae05889a867f--