Security and open_basedir

Seing a lot of osCommerce 2.2-RC2a sites being hacked, I discovered web hosts really underestimate the power of PHP open_basedir. Now, open_basedir is a php.ini setting that limits script access to paths. Many web hosts either set the path to the customers home folder like /home/user/. Why? This is a huge risk if a customer runs several domains under his/her user account i.e. /home/user/domains/site.com, /home/user/domains/anothersite.com etc.

With a setting like that the good news is every domain can access the other's internal files. Who does that anyway? The bad news is in fact the same. An infection could and probably would spread over all your domains. Some hosts lets you change the open_basedir setting using a custom php.ini or .htaccess. That could become handy for your scripts to minimize damage when you experiment with code, but it doesn't stop a hacker.

The solution is to nail the open_basedir setting in the web hosting control panel where the hacker hopefully has no access. Ask your web hosting provider if they support open_basedir on a user defined level.

Edit: Thank you Jonas from F S Data pointing out that this method does not stop intruders from gaining access through shell commands. If you rely on the security by open_basedir. Disable PHP functions such as system, exec, passthru, shell_exec etc.

PHP.ini example:

open_basedir = "/tmp:/usr/bin:home/user"

disable_functions =

open_basedir = "/tmp:/usr/bin:home/user/domains/site.com"

disable_functions = "exec, passthru, shell_exec, system, proc_open, popen"