PHP open_basedir Tweaking

PHP open_basedir feature prevents users from opening files outside of their home directory with PHP scripts. It is an important security feature which stops malicious scripts from being able to access important information. We can set this function to accounts which cannot open files outside of their home directory when using PHP scripts. Using PHP open_basedir feature we can limit the file operations of a specific directory.

Enable PHP open_basedir protection in cPanel

1) Navigate to PHP open_basedir Tweak (Home >> Security Center >> PHP open_basedir).

2) Click Enable PHP open_basedir protection.

3) Select the domain you wish to exclude protection.

4) Click Save.

Enable PHP open_basedir protection in Plesk

1) Login to Plesk

2) Select Domain

3) Select PHP Settings.

4) Select open_basedir under common settings and make changes.

5) Click OK.

PHP open_basedir function defines the locations from which PHP is allowed to access files using functions like fopen() and gzopen(). PHP will refuse to open the file defined outside of the paths of open_basedir. It limits PHP’s access to the user’s home directory, /tmp and other PHP system directories. We need to manually specify the open_basedir directive in each user php.ini file while using open_basedir tweak with a PHP handler other than DSO.  It is a protected mode security measure. When a file opened with fopen() and gzopen() the site of the file is checked. The PHP will refuse to open the if the file ids are defined out of the paths of open_basedir. We cannot use symbolic link as it is under the restrictions of the open_basedir function.

In Plesk hosting control panel, we may need to manually edit Apache configuration file of vhost.conf and vhost_ssl.conf, and vhost_ssl.conf, and edit the line php_admin_value open_basedir line as

php_admin_value open_basedir none

php_admin_value open_basedir /full/path/to/dir:/full/path/to/dirctory/httpdocs:/temp

In the example above the path should be replaced with real path and open_basedir are directories that specially allowed for the PHP scripts in the host domain account to access. We can add in more directories that files are being stored and needed to be opened by PHP, each separated by color “:” but it might cause some security problems. Restart Apache after the changes made. If we disable PHP open_basedir protection by manually editing the Apache configuration file, then open httpd.conf file and search the line starting with php_admin_value open_basedir and set this line as

php_admin_value open_basedir none

open_basedir can affect more than just filesystem functions; for example, if MySQL is configured to use mysqlnd drivers, LOAD DATA INFILE will be affected by open_basedir. Much of the extended functionality of PHP uses open_basedir in this way.

In httpd.conf, open_basedir can be turned off (e.g. for some virtual hosts) the same way as any other configuration directive with “php_admin_value open_basedir none”. Under Windows, separate the directories with a semicolon. On all other systems, separate the directories with a colon. As an Apache module, open_basedir paths from parent directories are now automatically inherited.

The restriction specified with open_basedir is a directory name since PHP 5.2.16 and 5.3.4. Previous versions used it as a prefix. This means that “open_basedir = /dir/incl” also allowed access to “/dir/include” and “/dir/incls” if they exist. When you want to restrict access to only the specified directory, end with a slash. For example: open_basedir = /dir/incl/

Apache configuration file directives for PHP only take effect if we select the DSO handler. If you have configured PHP to run as a CGI, suPHP, or FastCGI process, you must manually specify the open_basedir directive in the appropriate php.ini file. Users must each have their own php.ini files when they use a PHP handler that is not DSO.

If you need any further assistance please reach our support department.