The PHP documentation is misleading. Apparently, the statement
As an Apache module, open_basedir paths from parent directories are now automatically inherited.
means that if the open_basedir directive is defined as such
php_value open_basedir "/tmp:/var/www/example.com/web"
then a script in /var/www/example.com/web
will have access to /tmp
. It does NOT mean that more specific open_basedir values may be defined for child directories to create a "cascading" or "stacking" effect.
So, adding to the above directive something like
php_value open_basedir "/var/www/example.com/protected/includes"
will NOT make the effective open_basedir for /var/www/example.com/web/modules
but rather so doing will OVERWRITE the parent directory's open_basedir definition and make the effective open_basedir
It seems prudent to open a bug report for the PHP documentation and request that this statement be clarified.