Is it safe to disable open_basedir? (Fast-CGI + suEXEC)

Discussion in 'Installation/Configuration' started by darkangel, Oct 22, 2012.

  1. darkangel

    darkangel New Member

    Is it safe to disable open_basedir? (Fast-CGI + suEXEC + Suhosin)


    I need to disable PHP's open_basedir for performance reasons – is it relatively safe to do this on a dedicated server with Fast-CGI, suEXEC, and Suhosin?

    What are the considerations?

    Last edited: Oct 22, 2012
  2. falko

    falko Super Moderator ISPConfig Developer

    No, this is not safe because you can read all kinds of other files outside the website's document root from a PHP script.
  3. darkangel

    darkangel New Member

    Only files readable by that particular web user (e.g. "web1"), right? Things like log files?

    And this is only an issue if you have vulnerable code?

    I needed to disable it because of this bug with PHP.
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    All files that are readable by the web[id] user, client[id] group or that are world readable like some config files in /etc.
  5. cbj4074

    cbj4074 Member

    Out of curiosity (and I'm not necessarily saying you're wrong), what has lead you to conclude that PHP's open_basedir directive is hindering performance significantly?
  6. darkangel

    darkangel New Member

    Did you read the bug report that I linked to? It prevents the use of the realpath cache.
  7. cbj4074

    cbj4074 Member

    No, sorry, I had missed that hyperlink. After all, it is a bit small. :)

    I ask only so that I, too, may be informed if there is a genuine performance problem with when safe_mode or open_basedir is used. I read every post in the bug report and it seems that there is indeed an issue at a significant level of scale.

    Out of curiosity alone, are you actually hosting a sufficient number of sites to feel that performance hit? If so, how many sites?
  8. darkangel

    darkangel New Member

    I don't think it has anything to do with how many sites you're hosting (we only have 2 main websites). It would affect any PHP website, but mostly larger sites with lots of file includes (which we have).
  9. cbj4074

    cbj4074 Member

    Right; that makes sense.

    Have you run benchmarks to assess the performance impact of using safe_mode or open_basedir in your particular situation?

    I'm curious just how much of an impact the inability to use the realpath cache might have. A percentage would be ideal, e.g., "Disabling safe_mode and open_basedir yields a 25% performance improvement."

    Ultimately, I'm wondering at what point a server administrator should consider disabling safe_mode and open_basedir in favor of performance -- i.e., at how many require() and/or include() statements.

    Obviously, this determination must be made on a case-by-case basis, and it will depend largely on how many and what type of sites occupy the server, but some basic guidelines would be most helpful.

    If you're willing to share your findings, thank you in advance.
  10. darkangel

    darkangel New Member

Share This Page