Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:26054 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 34638 invoked by uid 1010); 13 Oct 2006 14:24:04 -0000 Delivered-To: ezmlm-scan-internals@lists.php.net Delivered-To: ezmlm-internals@lists.php.net Received: (qmail 34621 invoked from network); 13 Oct 2006 14:24:03 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 13 Oct 2006 14:24:03 -0000 Authentication-Results: pb1.pair.com smtp.mail=pierre.php@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=pierre.php@gmail.com; sender-id=pass; domainkeys=good Received-SPF: pass (pb1.pair.com: domain gmail.com designates 66.249.92.171 as permitted sender) DomainKey-Status: good X-DomainKeys: Ecelerity dk_validate implementing draft-delany-domainkeys-base-01 X-PHP-List-Original-Sender: pierre.php@gmail.com X-Host-Fingerprint: 66.249.92.171 ug-out-1314.google.com Linux 2.4/2.6 Received: from [66.249.92.171] ([66.249.92.171:13491] helo=ug-out-1314.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 20/00-33861-A71AF254 for ; Fri, 13 Oct 2006 10:23:57 -0400 Received: by ug-out-1314.google.com with SMTP id 80so446208ugb for ; Fri, 13 Oct 2006 07:23:40 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=qxCXm/cEEXtYyc8AyARifGn40VG3SBM5bsiHvpmUXJKnLxBjhF0B0xM3wepPxxdoqV8AEeOKfJ/CrbGWxnHDtKe+Q0v1S+lAW6roesQO83aBOlzKCOPv26NU752wJ4GI0Pmqbq2wdcYA9mZQ0ifjj0Mkc9bMeqqX//ywwt9pVyo= Received: by 10.78.182.20 with SMTP id e20mr3691506huf; Fri, 13 Oct 2006 07:23:39 -0700 (PDT) Received: by 10.78.122.5 with HTTP; Fri, 13 Oct 2006 07:23:39 -0700 (PDT) Message-ID: Date: Fri, 13 Oct 2006 16:23:39 +0200 To: "Tim Starling" Cc: internals@lists.php.net In-Reply-To: <53.46.02720.CEEEE254@pb1.pair.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <53.46.02720.CEEEE254@pb1.pair.com> Subject: Re: [PHP-DEV] Re: open_basedir enhancement, runtime tightening From: pierre.php@gmail.com (Pierre) Hello, On 10/13/06, Tim Starling wrote: > Sara Golemon wrote: > > The attached patch changes open_basedir from PHP_INI_SYSTEM to PHP_INI_ALL. > [...] > > > The advantage of doing this is that package authors and/or users of shared > > hosting who may not have access to making their settings more restrictive > > can avoid most simple FS inspection attacks caused by buggy script code by > > adding a single ini_set(basedir(__FILE__)); to the top of their script or > > setting it with an .htaccess directive. > > Great feature. I can see this being very useful to packaged PHP applications > like ours (MediaWiki). The only complication in implementation I can think > of is trying to work out the location of PEAR, for those modules that use > it. I suppose we would have to append the default include_path to the > runtime open_basedir, to make sure that PEAR is accessible. There is no issue with PEAR or any applications using include_path and relative paths in include/require. The system include_path, if any, paths should already be in the open_basedir. If they are not, you have to install the desired modules within your open_basedir, just like now. Sara, I did not check the patch (not readable here :P), but I like the idea. --Pierre