On 06/24/2013 11:29 PM, Matus UHLAR - fantomas wrote:On 06/24/2013 02:14 PM, Oğuz Yarımtepe wrote:I solved this isseu by completely removing php-fpm and fastcgi and just using mod_php. Added php_admin_value open_basedir path fr each vhost.On 24.06.13 22:38, Thomas Goirand wrote:Great, you now have a security hole, using a deprecated directive, which is removed in the current stable version of PHP!When was open_basedir deprecated? I see that safe_mode is deprecated, but not the open_basedir...
On 25.06.13 01:37, Thomas Goirand wrote:
Ok, probably not. However, open_basedir is *not* something that is useful in terms of security. Libraries which can be called by PHP still have access to the full of the filesystem. So yes, you'd be restricting includes, but that's it, and this is not enough. The solution is a full chroot for each vhost.
the open_basedir will protect us against malicious scripts trying to scan filesystem over protected area. Of course, if there's something in PHP (as curl module some years ago), it's problem of the module. even chroot() won't protect us against kernel bugs, but does that mean we should use virtualization instead? So, I understand things like open_basedir as another step in security, made by PHP... -- Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.One OS to rule them all, One OS to find them, One OS to bring them all and into darkness bind them