Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:26056 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 54322 invoked by uid 1010); 13 Oct 2006 15:04:09 -0000 Delivered-To: ezmlm-scan-internals@lists.php.net Delivered-To: ezmlm-internals@lists.php.net Received: (qmail 54306 invoked from network); 13 Oct 2006 15:04:09 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 13 Oct 2006 15:04:09 -0000 Authentication-Results: pb1.pair.com smtp.mail=greg@chiaraquartet.net; spf=permerror; sender-id=unknown Authentication-Results: pb1.pair.com header.from=greg@chiaraquartet.net; sender-id=unknown Received-SPF: error (pb1.pair.com: domain chiaraquartet.net from 66.79.163.178 cause and error) X-PHP-List-Original-Sender: greg@chiaraquartet.net X-Host-Fingerprint: 66.79.163.178 bluga.net Linux 2.5 (sometimes 2.4) (4) Received: from [66.79.163.178] ([66.79.163.178:60767] helo=mail.bluga.net) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 9D/83-33861-9EAAF254 for ; Fri, 13 Oct 2006 11:04:09 -0400 Received: from mail.bluga.net (mail.bluga.net [127.0.0.1]) by mail.bluga.net (Postfix) with ESMTP id DD371873F8; Fri, 13 Oct 2006 08:04:06 -0700 (PDT) Received: from [192.168.0.103] (CPE-24-208-77-184.neb.res.rr.com [24.208.77.184]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.bluga.net (Postfix) with ESMTP id 993968735E; Fri, 13 Oct 2006 08:04:06 -0700 (PDT) Message-ID: <452FAA22.7060008@chiaraquartet.net> Date: Fri, 13 Oct 2006 10:00:50 -0500 User-Agent: Thunderbird 1.5.0.7 (X11/20060922) MIME-Version: 1.0 To: Tim Starling CC: internals@lists.php.net References: <53.46.02720.CEEEE254@pb1.pair.com> <46.72.33861.489AF254@pb1.pair.com> In-Reply-To: <46.72.33861.489AF254@pb1.pair.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: ClamAV using ClamSMTP Subject: Re: [PHP-DEV] Re: open_basedir enhancement, runtime tightening From: greg@chiaraquartet.net (Gregory Beaver) Tim Starling wrote: > Pierre wrote: >> There is no issue with PEAR or any applications using include_path and >> relative paths in include/require. The system include_path, if any, >> paths should already be in the open_basedir. If they are not, you >> have to install the desired modules within your open_basedir, just >> like now. > > The application I'm interested in is where there is no system > open_basedir, and the application wishes to lock down the environment. > So we could do: > > ini_set('open_basedir', ini_get('include_path') . PATH_SEPARATOR . > dirname(__FILE__)); > > But that still allows the application to access every path that the > system administrator has, at a whim, included in include_path. It's not > maximally restrictive, really we only need dirname(__FILE__) and > wherever PEAR is. > > We could do: > $pear = trim(`pear config-get php_dir`); > ini_set('open_basedir', $pear . PATH_SEPARATOR . dirname(__FILE__); > > But of course, that's not very portable. What I'm hinting at is that it > might be kind of nice if PHP knew where PEAR was, and provided it say > via $_SERVER. It might save a bit of mucking around. Hi Tim, This is a bit more PEAR-related, please follow up to pear-dev with any further questions. The code you're looking for is: require_once 'PEAR/Config.php'; $c = PEAR_Config::singleton(); // assuming PHP 5, add & if PHP 4 ini_set('open_basedir', $c->get('php_dir') . PATH_SEPARATOR . dirname(__FILE__)); Greg