The PHP manual states:
open_basedir (string)
Limit the files that can be accessed by PHP to the specified directory-tree, including the file itself. This directive is NOT affected by whether Safe Mode is turned On or Off.
When a script tries to access the filesystem, for example using include, or fopen(), the location of the file is checked. When the file is outside the specified directory-tree, PHP will refuse to access it.
Also, a little bit further...
open_basedir can affect more than just filesystem functions; for example if MySQL is configured to use mysqlnd drivers, LOAD DATA INFILE will be affected by open_basedir . Much of the extended functionality of PHP uses open_basedir in this way.
However, it seems that this restriction does not reach socket manipulation. On my server, even though I have set open_basedir to /home:/tmp, I can still access a socket file under /run through the socket_connect function (note that I haven't moved /var/run (/run) to some twisted location under /home or /tmp).
Is there a way to extend open_basedir's restrictions to include socket files* paths, so that it is impossible to open a socket file outside of /home and /tmp?
* I understand that socket files are not really "opened", but rather "bound to" through the socket_connect function and the bind system call. However, since open_basedir seems to apply on non-filesystem functions... I'm guessing there could be a way.
