php-fpm _and_ open_basedir = Necessary?

Martin "eto" Misuth eto.freebsd at
Wed May 4 18:13:43 UTC 2016

On Wed, 27 Apr 2016 15:12:33 +0200
Andy Wodfer <wodfer at> wrote:

> Now I wonder - Is open_basedir even necessary when I run php with php-fpm
> pools with their own users. From what I understand php-fpm does just this
> (jail) the daemon/process to its specified virtualhost/user homedir (hope
> this came out correctly). ?

As far as I understand it, open_basedir is "poor mans jailing" courtesy of php.
It's intended to solve path traversal problems in mass hosting configurations
usual for ISPs (using virtual hosts), eg cross domain script read/write. 

Instead of relying on higher/lower layer (depending on your pov) of isolation 
provided by os, php runtime with open_basedir configured, changes
behaviour of most php's IO related functions to prevent unintended
directory traversal. Eg it "locks" php's IO (php userland fileops,
include/require) into specific subtrees.

Ofc this has no effect on anything spawned by php's system() call or on
backticks operators, and I don't remember even if all IO functions in php
runtime are open_basedir capable. Some consider it has dubious value, others
think differently. 

Also remember that open_basedir "jails" only scripts and their IO, actual
runtime has normal access capabilities and it has nothing to do with php-fpm

Depending on how you have setup your php-fpm instances (chroot or jail, jail,
jail + chroot, fpm-pool per jail, custom users) it might be turned off even.


More information about the freebsd-questions mailing list