[BlueOnyx:14300] Re: open basedir

Michael Stauber mstauber at blueonyx.it
Thu Jan 23 13:11:57 PET 2014

Hi RC,

> Can open_basedir be turned off or on per site bases?
> Found this posted on the joomla forum from a Joomla Master
> Contact your host. cUrl and Open_base/Safe_Mode won't fly together. Your 
> alternative is to download the 3.1.1 package (or the patch), extract 
> locally and upload manually and overwrite all files and folders except 
> for the installation folder.
> Alternative 2 is more appropriate: Change host since no proper host 
> needs these days open_base or safe_mode

Was this a Joomla developer who said that? If so, it just reinforces
what I've been thinking about them all along: Despite years of blatant
security holes in their code they haven't changed their mindset one bit.

"Safe Mode" is only an issue if you're using a PHP older than PHP-5.3.0.
Starting with PHP-5.3.0 "Safe Mode" got deprecated and as a result: If
the BlueOnyx GUI detects you're using a PHP-5.3 or a newer one than
that, then "Safe Mode" will be removed from the php.ini or the PHP flags
in the Vhost container to avoid PHP from complaining about this
deprecated switch. Otherwise it would complain regardless if you'd set
"Safe Mode" to "on" or "off".

So if you have "Safe Mode" issues, you're using PHP-5.2 or older, which
might not be the best of ideas to begin with.

As for "open_basedir": It's there and it's going to stay. Unless we stop
using PHP as DSO and just support suPHP. Without 'open_basedir' we can't
properly compartmentalize the scripts Vsites and scripts from one site
could access files from other Vsites.

You already have the option to add / to the open_basedir path for
Vsites, which would allow the scripts access to anything that they have
read/write access to based on their UID/GID. Which is a bad idea, too
and security minded people would avoid that.

Now if you really insist on removing 'open_basedir', you could turn on
suPHP for the Vsite in question. Then edit the php.ini of that Vsite
(use "chattr -i php.ini" on it first) and could remove that line in
question. But in my opinion it's not something you should do, as it
lowers the overall security.

With best regards

Michael Stauber

More information about the Blueonyx mailing list