PHP config: open_basedir

Hey Typo3 community,

I would like to ask whether you use the PHP setting “open_basedir” in your project as an additional security net? And if not, is it because you evaluate the security benefit as marginal?

Which base directory would you even set for a composer-based installation? I’ve included my sitepackage as a local repository in …/packages, and because it’s outside of …/public I personally wouldn’t even be able to set the webroot directory as the base directory.

Would love to hear some opinions from other Typo3 system administrators.

Regards, Nefiji

Hi Nefiji,

I don’t use open_basedir anywhere on my own, nor the TYPO3’s official servers. Instead, I made sure that:

  • each PHP (-FPM) process does run as its own user
  • the corresponding home directories are owned by this user
  • web/php users are not allowed to access each other’s home directories

In my opinion, this led to an even more hardened system, without the hassle open_basedir might add.


Thank your for your input on this subject matter, you’ve provided some helpful informations.

Regards, Nefiji