I have php for my virtualhosts locked down so they can only execute scripts and access files that are in their subdirectories but does this take priority over include_path as well.. for example...

<VirtualHost *>
ServerName www.domain.com
ServerAdmin webmaster@domain.com
DocumentRoot d:/apache/sites/www.domain.com/www
ScriptAlias /cgi-bin/ "d:/apache/sites/www.domain.com/cgi-bin/"
ErrorLog d:/apache/sites/www.domain.com/logs/error.log
CustomLog d:/apache/sites/www.domain.com/logs/access.log common
php_admin_flag safe_mode on
php_admin_flag allow_url_fopen off
php_admin_flag register_globals off
php_admin_value doc_root "d:/apache/sites/www.domain.com/www"
php_admin_value include_path ".;d:\php\includes;d:\php\pear"
php_admin_value open_basedir "d:/apache/sites/www.domain.com"
php_admin_value safe_mode_exec_dir "d:/apache/sites/www.domain.com/www"
php_admin_value session.save_path "d:/apache/sites/www.domain.com/sessiondata"
php_admin_value upload_tmp_dir "d:/apache/sites/www.domain.com/uploadtemp"
php_value upload_max_filesize 1024000
<FilesMatch ".(cgi|pl|shtml|shtm)$">
AllowOverride None
Order deny,allow
deny from all
</FilesMatch>
</VirtualHost>

Even though it is in the include_path, my virtualhost site is not able to access the PEAR folder unless I remove the open_basedir. Does anyone know of any ways that the include_path will work with the open_basedir at the same time...

I am running apache 1.3.26/php 4.2.2 on Win2ksp3 any help will be greatly appreciated...

    When you set safe mode, people are able to include files if:

    (1) The ownership of the file matches the ownership of the php script being executed. Ditto for readfile(), include_once(), etc.

    (2) The included file is in a path set in safe_mode_include_dir (the configuration setting).

    Now, open_basedir is actually a directory where, if set, restricts all file operations, such as fopen() and the like. I'm not sure whether including something in open_basedir will permit an include(), overriding the uid/gid matching, but you can get around the whole issue by setting a safe_mode_include_dir (and it probably wouldn't hurt to make sure it included "." as part of it, so files in the same directory as the script can be included).

      RTFM!!!

      Straight from PHP.net

      http://www.php.net/manual/en/printwn/configuration.php#ini.open-basedir
      Under Windows, separate the directories with a semicolon. On all other systems, separate the directories with a colon. As an Apache module, open_basedir paths from parent directories are now automatically inherited.

      So, essentially, it looks like you need something like:

      php_admin_value open_basedir "d:/apache/sites/www.domain.com/;d:/php/includes/;d:/php/pear/;."

      The trailing slashes are important too.

      I'm not 100% whether the ';.' is required, so you might want to try with an without.

        Write a Reply...