Is it safe to disable open_basedir? (Fast-CGI + suEXEC)

[darkangel]

Hi,

I need to disable PHP's open_basedir for performance reasons – is it relatively safe to do this on a dedicated server with Fast-CGI, suEXEC, and Suhosin?

What are the considerations?

Thanks.

[falko]

No, this is not safe because you can read all kinds of other files outside the website's document root from a PHP script.

[darkangel]

Only files readable by that particular web user (e.g. "web1"), right? Things like log files?

And this is only an issue if you have vulnerable code?

I needed to disable it because of this bug with PHP.

[till]

Quote:

Only files readable by that particular web user (e.g. "web1"), right? Things like log files?

All files that are readable by the web[id] user, client[id] group or that are world readable like some config files in /etc.

[cbj4074]

Out of curiosity (and I'm not necessarily saying you're wrong), what has lead you to conclude that PHP's open_basedir directive is hindering performance significantly?

[darkangel]

Did you read the bug report that I linked to? It prevents the use of the realpath cache.

[cbj4074]

No, sorry, I had missed that hyperlink. After all, it is a bit small.

I ask only so that I, too, may be informed if there is a genuine performance problem with when safe_mode or open_basedir is used. I read every post in the bug report and it seems that there is indeed an issue at a significant level of scale.

Out of curiosity alone, are you actually hosting a sufficient number of sites to feel that performance hit? If so, how many sites?

[darkangel]

I don't think it has anything to do with how many sites you're hosting (we only have 2 main websites). It would affect any PHP website, but mostly larger sites with lots of file includes (which we have).

[cbj4074]

Right; that makes sense.

Have you run benchmarks to assess the performance impact of using safe_mode or open_basedir in your particular situation?

I'm curious just how much of an impact the inability to use the realpath cache might have. A percentage would be ideal, e.g., "Disabling safe_mode and open_basedir yields a 25% performance improvement."

Ultimately, I'm wondering at what point a server administrator should consider disabling safe_mode and open_basedir in favor of performance -- i.e., at how many require() and/or include() statements.

Obviously, this determination must be made on a case-by-case basis, and it will depend largely on how many and what type of sites occupy the server, but some basic guidelines would be most helpful.

If you're willing to share your findings, thank you in advance.

[darkangel]

I haven't done proper benchmarking, but you can find more information here:

http://php.webtutor.pl/en/2011/06/02...mple-solution/
http://blog.nexcess.net/2010/03/31/p...o-performance/
http://serverfault.com/questions/158...rmance-problem