Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:74936 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 75547 invoked from network); 17 Jun 2014 09:30:50 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 17 Jun 2014 09:30:50 -0000 Authentication-Results: pb1.pair.com header.from=lester@lsces.co.uk; sender-id=unknown Authentication-Results: pb1.pair.com smtp.mail=lester@lsces.co.uk; spf=permerror; sender-id=unknown Received-SPF: error (pb1.pair.com: domain lsces.co.uk from 217.147.176.214 cause and error) X-PHP-List-Original-Sender: lester@lsces.co.uk X-Host-Fingerprint: 217.147.176.214 mail4-2.serversure.net Linux 2.6 Received: from [217.147.176.214] ([217.147.176.214:59676] helo=mail4.serversure.net) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id BD/20-08302-8CA00A35 for ; Tue, 17 Jun 2014 05:30:49 -0400 Received: (qmail 12630 invoked by uid 89); 17 Jun 2014 09:30:43 -0000 Received: by simscan 1.3.1 ppid: 12592, pid: 12615, t: 0.2467s scanners: attach: 1.3.1 clamav: 0.96/m:52 Received: from unknown (HELO ?10.0.0.8?) (lester@rainbowdigitalmedia.org.uk@81.138.11.136) by mail4.serversure.net with ESMTPA; 17 Jun 2014 09:30:43 -0000 Message-ID: <53A00AC1.2050001@lsces.co.uk> Date: Tue, 17 Jun 2014 10:30:41 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.5.0 MIME-Version: 1.0 To: internals@lists.php.net References: In-Reply-To: Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] PHP6, drop open_basedir? From: lester@lsces.co.uk (Lester Caine) On 17/06/14 09:26, Pierre Joye wrote: > One of the last reminding so called "security" feature is open_basedir. > > On Windows f.e. it is very easy to create application pool with the > right users/permissions settings (IIS) or only permissions settings > (Apache). It is not possible to create one user per host on Apache > using mod_php but I think it is acceptable as it is mostly used as > development server or dedicated apps. > > On linux, fcgi/fpm with linux permissions systems allow pretty much > the same. And my solutions exist for a per user/application isolation > system. > > I think it is not worth the effort to keep maintaining something that > will never be as safe as system level permissions. > > What do you think about removing it in php 6? Thoughts? Managing security on servers that one has full access to is not the main target of open_basedir? It has a useful place when working with shared hosting? While on-line storage costs are going down, sharing code across a few sites while maintaining maintaining a level of isolation between specific content is not easy to achieve in other ways? The usage I'm seeing is that open_basedir provides access to the site files and a shared set of resources used across several sites. This is probably not the best way of doing things but is one documented on several hosting packages. The examples I could link to require a private login :( Just a pointer to something that provides an alternative resolution would obviously be acceptable. With many of these facilities it's not simply removing something but much more important to provide education on the alternatives? -- Lester Caine - G8HFL ----------------------------- Contact - http://lsces.co.uk/wiki/?page=contact L.S.Caine Electronic Services - http://lsces.co.uk EnquirySolve - http://enquirysolve.com/ Model Engineers Digital Workshop - http://medw.co.uk Rainbow Digital Media - http://rainbowdigitalmedia.co.uk