Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:26057
Return-Path: <pierre.php@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 67991 invoked by uid 1010); 13 Oct 2006 15:23:17 -0000
Delivered-To: ezmlm-scan-internals@lists.php.net
Delivered-To: ezmlm-internals@lists.php.net
Received: (qmail 67976 invoked from network); 13 Oct 2006 15:23:16 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 13 Oct 2006 15:23:16 -0000
Authentication-Results: pb1.pair.com header.from=pierre.php@gmail.com; sender-id=pass; domainkeys=good
Authentication-Results: pb1.pair.com smtp.mail=pierre.php@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 66.249.92.173 as permitted sender)
DomainKey-Status: good
X-DomainKeys: Ecelerity dk_validate implementing draft-delany-domainkeys-base-01
X-PHP-List-Original-Sender: pierre.php@gmail.com
X-Host-Fingerprint: 66.249.92.173 ug-out-1314.google.com Linux 2.4/2.6
Received: from [66.249.92.173] ([66.249.92.173:20963] helo=ug-out-1314.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 48/D5-33861-36FAF254 for <internals@lists.php.net>; Fri, 13 Oct 2006 11:23:16 -0400
Received: by ug-out-1314.google.com with SMTP id 80so458305ugb
        for <internals@lists.php.net>; Fri, 13 Oct 2006 08:23:12 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
        s=beta; d=gmail.com;
        h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references;
        b=bZSD62fLoqe9OF5cMiUUPg/YB4tKvR/EXtY7Y0GTQ/X0CKKmJ6cjxlG8KfHl+sP53XfU2q4sBc4MG99/WYjzoPNUItdV2gLy/w/07yEPza8CdqGtJpbDkrW3cnsg86zeL9xTmVpoPGe23S66lWfoxUivEyRjj0tri1reqIhXbnY=
Received: by 10.78.90.10 with SMTP id n10mr3796913hub;
        Fri, 13 Oct 2006 08:23:11 -0700 (PDT)
Received: by 10.78.122.5 with HTTP; Fri, 13 Oct 2006 08:23:11 -0700 (PDT)
Message-ID: <fe05d1540610130823v5126ac85q3edb6cbee487b4c0@mail.gmail.com>
Date: Fri, 13 Oct 2006 17:23:11 +0200
To: "Gregory Beaver" <greg@chiaraquartet.net>
Cc: "Tim Starling" <tstarling@wikimedia.org>, internals@lists.php.net
In-Reply-To: <452FAA22.7060008@chiaraquartet.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
References: <B0.05.22864.D4D9E254@pb1.pair.com>
	 <53.46.02720.CEEEE254@pb1.pair.com>
	 <fe05d1540610130723r124cbfe3p332efe171f52751d@mail.gmail.com>
	 <46.72.33861.489AF254@pb1.pair.com>
	 <452FAA22.7060008@chiaraquartet.net>
Subject: Re: [PHP-DEV] Re: open_basedir enhancement, runtime tightening
From: pierre.php@gmail.com (Pierre)

Hello,

On 10/13/06, Gregory Beaver <greg@chiaraquartet.net> wrote:
> Tim Starling wrote:
> > Pierre wrote:
> >> There is no issue with PEAR or any applications using include_path and
> >> relative paths in include/require. The system include_path, if any,
> >> paths should already  be in the open_basedir. If they are not, you
> >> have to install the desired modules within your open_basedir, just
> >> like now.
> >
> > The application I'm interested in is where there is no system
> > open_basedir, and the application wishes to lock down the environment.
> > So we could do:
> >
> > ini_set('open_basedir', ini_get('include_path') . PATH_SEPARATOR .
> > dirname(__FILE__));
> >
> > But that still allows the application to access every path that the
> > system administrator has, at a whim, included in include_path. It's not
> > maximally restrictive, really we only need dirname(__FILE__) and
> > wherever PEAR is.
> >
> > We could do:
> > $pear = trim(`pear config-get php_dir`);
> > ini_set('open_basedir', $pear . PATH_SEPARATOR . dirname(__FILE__);
> >
> > But of course, that's not very portable. What I'm hinting at is that it
> > might be kind of nice if PHP knew where PEAR was, and provided it say
> > via $_SERVER. It might save a bit of mucking around.
>
> Hi Tim,
>
> This is a bit more PEAR-related, please follow up to pear-dev with any
> further questions.  The code you're looking for is:
>
> require_once 'PEAR/Config.php';
> $c = PEAR_Config::singleton(); // assuming PHP 5, add & if PHP 4
> ini_set('open_basedir', $c->get('php_dir') . PATH_SEPARATOR .
> dirname(__FILE__));

These values do not change during the application lifetime. Dynamic
tests and decisions are ugly when what you test never change. I would
suggest to do it only during the installation stage.

--Pierre