The PHP manual states:
open_basedir (string)
Limit the files that can be accessed by PHP to the specified directory-tree, including the file itself. This directive is NOT affected by whether Safe Mode is turned On or Off.
When a script tries to access the filesystem, for example using include, or fopen(), the location of the file is checked. When the file is outside the specified directory-tree, PHP will refuse to access it.
Also, a little bit further...
open_basedir can affect more than just filesystem functions; for example if MySQL is configured to use mysqlnd drivers, LOAD DATA INFILE will be affected by open_basedir . Much of the extended functionality of PHP uses open_basedir in this way.
However, it seems that this restriction does not reach socket manipulation. On my server, even though I have set open_basedir
to /home:/tmp
, I can still access a socket file under /run
through the socket_connect
function (note that I haven't moved /var/run
(/run
) to some twisted location under /home
or /tmp
).
Is there a way to extend open_basedir
's restrictions to include socket files* paths, so that it is impossible to open a socket file outside of /home
and /tmp
?
* I understand that socket files are not really "opened", but rather "bound to" through the socket_connect
function and the bind
system call. However, since open_basedir
seems to apply on non-filesystem functions... I'm guessing there could be a way.