Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:74935
Return-Path: <julienpauli@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 73060 invoked from network); 17 Jun 2014 09:16:18 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 17 Jun 2014 09:16:18 -0000
Authentication-Results: pb1.pair.com smtp.mail=julienpauli@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=julienpauli@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.128.179 as permitted sender)
X-PHP-List-Original-Sender: julienpauli@gmail.com
X-Host-Fingerprint: 209.85.128.179 mail-ve0-f179.google.com  
Received: from [209.85.128.179] ([209.85.128.179:48470] helo=mail-ve0-f179.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id D1/C0-03356-16700A35 for <internals@lists.php.net>; Tue, 17 Jun 2014 05:16:17 -0400
Received: by mail-ve0-f179.google.com with SMTP id sa20so5355703veb.38
        for <internals@lists.php.net>; Tue, 17 Jun 2014 02:16:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc:content-type;
        bh=cZi9OkoV9/ZsBlpAXUs0k/Mz89zu7zzzM+bppCze8Ek=;
        b=fVTV/PI9bM6DghtvnVZrR1HPZLCL001DMJKozOLSTA3dxauPHn8tBVDG5rJIVyqp84
         X73B1ZZEj3EUSwo3j5lLysiMsxUkTb910bVH5CKi7CjNhcip8yHaa1zkJfdtkk2EEF2Y
         gsJL5V+OzqyvdPUMQ6X90hDkEDjp+GxqaOB+lzl0/ECIY4EN+IFjl/ZAv3q4JBUsG4HB
         bn4gpuxo/RR0EPcHosB5G1+rrMhUHLzzfTOrxMK8fgERNOj1gJ3aSXyynwQcQTVZyhyy
         BdFUYW3u0V934xX7BQg+ycx3S0OcNAo5Sq0o32eS4xjTnW/Hb5jTqYc/vnAXHcXBq0wW
         +F7w==
X-Received: by 10.52.51.196 with SMTP id m4mr10114996vdo.26.1402996575114;
 Tue, 17 Jun 2014 02:16:15 -0700 (PDT)
MIME-Version: 1.0
Sender: julienpauli@gmail.com
Received: by 10.220.81.68 with HTTP; Tue, 17 Jun 2014 02:15:35 -0700 (PDT)
In-Reply-To: <CAEZPtU7rc+JpguO=Ke8UmiLLaidvyJEQ81C9Lsvn8yHgkp=+qw@mail.gmail.com>
References: <CAEZPtU7rc+JpguO=Ke8UmiLLaidvyJEQ81C9Lsvn8yHgkp=+qw@mail.gmail.com>
Date: Tue, 17 Jun 2014 11:15:35 +0200
X-Google-Sender-Auth: ChB7xCf2qEdx23PlXIxl9w3TNOI
Message-ID: <CAMUwpuQmzeGXugPPY6pjif5TB5Ut=GT42+c=eTvDQB4jsoMxwA@mail.gmail.com>
To: Pierre Joye <pierre.php@gmail.com>
Cc: PHP internals <internals@lists.php.net>
Content-Type: text/plain; charset=UTF-8
Subject: Re: [PHP-DEV] PHP6, drop open_basedir?
From: jpauli@php.net (Julien Pauli)

On Tue, Jun 17, 2014 at 10:26 AM, Pierre Joye <pierre.php@gmail.com> wrote:
> hi,
>
> One of the last reminding so called "security" feature is open_basedir.
>
> On Windows f.e. it is very easy to create application pool with the
> right users/permissions settings (IIS) or only permissions settings
> (Apache). It is not possible to create one user per host on Apache
> using mod_php but I think it is acceptable as it is mostly used as
> development server or dedicated apps.
>
> On linux, fcgi/fpm with linux permissions systems allow pretty much
> the same. And my solutions exist for a per user/application isolation
> system.
>
> I think it is not worth the effort to keep maintaining something that
> will never be as safe as system level permissions.
>
> What do you think about removing it in php 6? Thoughts?

I'am obviously +1.

This param is not needed any more, it's been very easy to abuse it and
it's removal
will lead to many places of code cleaning :-)

Julien