15

I have a directory /htdocs/unsecured and I want to limit whatever is in that directory or its subdirectories from accessing anything outside of that directory. Where and how do I set open_basedir for this directory only?

jww
  • 97,681
  • 90
  • 411
  • 885
L84
  • 974
  • 2
  • 11
  • 21

2 Answers2

18

You can set open_basedir in your Apache configuration file, php.ini, or in a .htaccess file.

I normally set this in an apache config file such as /etc/httpd/conf/httpd.conf.

You will have a directory structure for your current domain/virtual-host and you can add the line directly in there:

<VirtualHost 123.123.123.123:80>
    <Directory /htdocs/unsecured>
        php_admin_value open_basedir "C:/htdocs/unsecured"
    </Directory>
</VirtualHost>

Note: The 123.123.123.123 is the IP address of your domain and this sample block potentially leaves out a lot of data for this configuration only showing what's needed for open_basedir.

In php.ini, you can do this on a much-more general level (and it will be applied to every domain on your server) with:

open_basedir = "/htdocs/unsecured"

In .htaccess, you should be able to use the following (though I haven't tested):

php_value open_basedir "/htdocs/unsecured"

EDIT (Windows path)
Per a comment, you're running xammp on Windows (and not using Virtual Hosts). With this information, I would suggest to put your open_basedir rule in your php.ini file. This should (hopefully) work for you:

open_basedir = "C:\xampp\htdocs\unsecured"

In linux, a : is a field separator. In Windows, the ; is the separator - so this should work, but I am unable to test it personally.

newfurniturey
  • 37,556
  • 9
  • 94
  • 102
  • Ok, but what kind of path do I use? What is /path/to/your/site? It's a Windows machine so the path to this directory is E:\xampp\htdocs\unsecure so do I replace /path/to/your/site with this? What about the colon which is both in the path and in the open_basedir as a delimiter? Or is the /path/to/your/site relative to htdocs directory? Do I use forward or back slashes? Should I use quotes around the path? I've looked at open_basedir in docs and it's very vague – L84 Nov 08 '12 at 14:52
  • @L84 The `/path/to/your/site` was in reference to a machine with multiple virtual-hosts configured assuming that `/htdocs/unsecure` was not related to your site. If it is, you can just use that instead. In Windows, you should be able to set it with backslashes like `open_basedir = "C:\xampp\htdocs\unsecure"`, but I commonly see it with forwardslashes (like in linux): `open_basedir = "C:/xampp/htdocs/unsecure"`. I don't work much with Windows, so I would suggest trial-and-error (sad, but true). And yes, I would suggest to put quotes around the path (not required though). – newfurniturey Nov 08 '12 at 14:58
  • 1
    I don't know what virtual-hosts or sites are in this context. I just put everything in /htdocs. I don't know how to set php_admin_value open_basedir for this directory because the path has a colon and colon is also a delimiter. Nevermind, I see in docs that a semicolon is used on Windows. Still, crappy docs. – L84 Nov 08 '12 at 15:01
  • Great hint, thanks! But will this also prevent a `shell_exec("ls /")`? – lucaferrario Jul 01 '13 at 09:55
  • I answer myself: it will not prevent that. In order to prevent that, the whole functions shell_exec, exec, passthru, etc... should be disabled for the desired directory or vhost: [apache-and-php-security-limiting-subdomains](http://stackoverflow.com/questions/4182239/apache-and-php-security-limiting-subdomains) – lucaferrario Jul 01 '13 at 10:03
  • To prevent system functions like Exec ,passthru,shell_exec, system you should use the directives disable_functions and disable_classes in php.ini – Mohamed Ben HEnda Feb 08 '17 at 01:01
  • 3
    This parameter can't be set in .htaccess – JuliSmz Jul 19 '19 at 15:19
0

You may change the open_basedir in php.ini, in your httpd.conf or during runtime as well.

Ene
  • 464
  • 2
  • 7