PHP config: open_basedir

nefiji · November 3, 2022, 12:39pm

Hey Typo3 community,

I would like to ask whether you use the PHP setting “open_basedir” in your project as an additional security net? And if not, is it because you evaluate the security benefit as marginal?

Which base directory would you even set for a composer-based installation? I’ve included my sitepackage as a local repository in …/packages, and because it’s outside of …/public I personally wouldn’t even be able to set the webroot directory as the base directory.

Would love to hear some opinions from other Typo3 system administrators.

Regards, Nefiji

steiner · November 4, 2022, 2:24pm

Hi Nefiji,

I don’t use open_basedir anywhere on my own, nor the TYPO3’s official servers. Instead, I made sure that:

each PHP (-FPM) process does run as its own user
the corresponding home directories are owned by this user
web/php users are not allowed to access each other’s home directories

In my opinion, this led to an even more hardened system, without the hassle open_basedir might add.

Cheers,
Andri

nefiji · November 9, 2022, 10:20am

Thank your for your input on this subject matter, you’ve provided some helpful informations.

Regards, Nefiji