Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:74980 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 70083 invoked from network); 19 Jun 2014 03:23:26 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 19 Jun 2014 03:23:26 -0000 Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.215.43 as permitted sender) X-PHP-List-Original-Sender: yohgaki@gmail.com X-Host-Fingerprint: 209.85.215.43 mail-la0-f43.google.com Received: from [209.85.215.43] ([209.85.215.43:53222] helo=mail-la0-f43.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id B9/41-60202-DA752A35 for ; Wed, 18 Jun 2014 23:23:26 -0400 Received: by mail-la0-f43.google.com with SMTP id e16so1067441lan.2 for ; Wed, 18 Jun 2014 20:23:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:content-type; bh=oacLi5TjBXUkEpm3VyvPxM/Tu6wkEYDJVVgorAe6pK0=; b=0hhv6naWpFtlME53Jyn2dfFiUTwH60j5w2tMiIP/p7/ja6gFKt49SGxnhx2saVkHT3 djn4CzyAvEIheCpStEUdC/VWwZbSYcoWd7owi/5rjW5P8EoGMH5r+8prIx3uIwuG+ICk Tnq14v/wWFpJIShg2aZMHLLFqKMKI1AG11uWZyQqaJHjHYht2isfsnAaXz4s85rC6Omx sirfP5KJlfH0grZELcIsRFNKpdTgz0Wua7TAKNS9dYKnDBx5essKmWUdNPFZH8ng0oFI g3U01+Wdn//Ib+W7rxRdnfOKH3iQEfYKgWVVA5W8xfb5CL9RZ28sVzQNhOU//TIK/O1h yUsw== X-Received: by 10.152.29.200 with SMTP id m8mr1405094lah.49.1403148201458; Wed, 18 Jun 2014 20:23:21 -0700 (PDT) MIME-Version: 1.0 Sender: yohgaki@gmail.com Received: by 10.112.14.9 with HTTP; Wed, 18 Jun 2014 20:22:41 -0700 (PDT) In-Reply-To: References: <53A00AC1.2050001@lsces.co.uk> Date: Thu, 19 Jun 2014 12:22:41 +0900 X-Google-Sender-Auth: f0nlQG8Ht-T5d8DokFkCRm7wrWI Message-ID: To: PHP internals list Content-Type: multipart/alternative; boundary=089e0158c29c1d842004fc27e6cb Subject: Re: [PHP-DEV] PHP6, drop open_basedir? From: yohgaki@ohgaki.net (Yasuo Ohgaki) --089e0158c29c1d842004fc27e6cb Content-Type: text/plain; charset=UTF-8 Hi all, On Thu, Jun 19, 2014 at 7:33 AM, Yasuo Ohgaki wrote: > On Tue, Jun 17, 2014 at 6:34 PM, Sebastian Krebs > wrote: > >> In my experiene it only leads to a false sense of security. I've seen it >> more than once, that people just set a value there and believed, that they >> are now safe. On the other hand they wonder, why many things were broken, >> so they loosen the restrictions again. >> > > I agree that many users do not understand what it does and what it's for. > > It's a fail safe feature that should not be trusted. > open_basedir should not be trusted, but it does not mean > it's useless just like antivirus softwares. Security features > do not have to be perfect to be useful. > > I'm -1 for removing open_basedir. > If there are users who misunderstand what it's for, we > should improve our documentation. IMHO. > BTW, even though I think open_basedir is useful for better security, I also think it's good to encourage users to use better alternatives, selinux, etc. open_basedir is lazy protection, but it's easy to use. Many users disable selinux or like completely. I tends to vote -1 for this, but if there is vote, I would vote 0. Regards, -- Yasuo Ohgaki yohgaki@ohgaki.net --089e0158c29c1d842004fc27e6cb--