← Back to glossary

open_basedir Restriction

Security CWE-22 OWASP A5:2021 PHP 4.0+ Intermediate

debt(d5/e1/b3/t7)

d5 Detectability Operational debt — how invisible misuse is to your safety net

Closest to 'specialist tool catches it' (d5). The detection_hints list lynis, phpinfo, and semgrep — these are specialist security/SAST tools rather than default linters or compilers. A missing or misconfigured open_basedir won't surface as a compile or lint error; it requires running a server auditor (lynis) or SAST scanner (semgrep), or manually inspecting phpinfo() output.

e1 Effort Remediation debt — work required to fix once spotted

Closest to 'one-line patch or single-call swap' (e1). The quick_fix is explicit: add 'open_basedir=/var/www/html:/tmp' to php.ini — a single configuration line. No code refactor is needed; it's a pure ini-level change.

b3 Burden Structural debt — long-term weight of choosing wrong

Closest to 'localised tax' (b3). The applies_to scope is web contexts only, and open_basedir is a php.ini/server configuration concern. It imposes a modest ongoing tax — developers must remember path allowances when adding new upload directories, session paths, or tmp usage — but it doesn't reshape the broader codebase or affect non-web contexts.

t7 Trap Cognitive debt — how counter-intuitive correct behaviour is

Closest to 'serious trap' (t7). The misconception field states directly that open_basedir is treated as a reliable security boundary, when in fact it is bypassable via certain PHP extensions, symlinks, and glob() patterns. This contradicts the intuition developers bring from OS-level chroot or filesystem ACLs. Additional traps in common_mistakes include setting it to '/' (disabling it silently), inadvertently including /tmp as an escape vector, and .htaccess overrides silently voiding the restriction — all of which a competent developer would likely get wrong without specific PHP knowledge.

About DEBT scoring → scored by claude-sonnet-4-6 · 2026-05-11 · reviewed by human

Also Known As

open_basedir restriction PHP basedir PHP filesystem restriction

TL;DR

A PHP INI directive that restricts file operations to a specified directory tree, limiting the blast radius of path traversal and LFI attacks.

Explanation

open_basedir limits PHP's file functions (fopen, file_get_contents, include, require, etc.) to files within the specified path prefix. An attacker who achieves LFI or path traversal is then confined to the permitted directory and cannot read /etc/passwd or other sensitive files outside the web root. Set it to the application directory and any required upload/temp paths: open_basedir = /var/www/html:/tmp. Note that open_basedir is a defence-in-depth measure — it does not replace input validation, and some bypass techniques exist on misconfigured servers.

Common Misconception

✗ open_basedir is a reliable security boundary. It restricts PHP file functions but is bypassable via certain PHP extensions, symlinks, and glob() patterns in some configurations. It is a useful defence-in-depth layer, not a hard security guarantee.

Why It Matters

open_basedir restricts PHP's file operations to a designated directory tree — even if an LFI or path traversal vulnerability exists, the attacker cannot read files outside the allowed paths.

Common Mistakes

Not configuring open_basedir in production — a path traversal vulnerability can then read any world-readable file.
Setting open_basedir to / (root) which is equivalent to disabling it.
Including /tmp in open_basedir without realising session files, uploads, and shell upload targets may be in /tmp.
Not testing that open_basedir restrictions survive php.ini overrides in user .htaccess files.

Code Examples

✗ Vulnerable

# php.ini — open_basedir not configured:
; open_basedir =  (commented out — no restriction)
; Attacker can read: include '../../../../etc/passwd';

✓ Fixed

; php.ini — restrict PHP filesystem access to specified paths
open_basedir = /var/www/app:/tmp
; PHP raises an error if it tries to access files outside these dirs
; Mitigates path traversal and LFI impact significantly

; Per virtual host (overrides global):
; fastcgi_param PHP_VALUE "open_basedir=/var/www/site1:/tmp";

; PHP code — detect if restriction is active:
if (ini_get('open_basedir')) {
    // Filesystem is restricted
}

; Note: not a security boundary for determined attackers with code execution
; but raises the bar significantly for exploitation
; Combine with: chroot jails, seccomp, read-only mounts

Tags

Added 15 Mar 2026

Edited 22 Mar 2026

Curated in Warsaw under one editorial standard. 1,506 terms, single voice. About this reference →

Rate this term

No ratings yet

🤖 AI Guestbook educational data only

| |

Last 30 days

Agents 0

No pings yet today

No pings yesterday

Amazonbot 9 Perplexity 6 Scrapy 6 SEMrush 5 Ahrefs 4 ChatGPT 4 Google 3 Unknown AI 2 Claude 2 Majestic 1 Meta AI 1 PetalBot 1

Also referenced

php.ini Security Settings 87 Local File Inclusion (LFI) 70 Path Traversal 67 Defence in Depth 65

How they use it

crawler 38 crawler_json 5 pre-tracking 1

Related categories

php 13.2k security 8k general 3k

⚡ DEV INTEL Tools & Severity

🟠 High ⚙ Fix effort: Low

⚡ Quick Fix

Set open_basedir=/var/www/html:/tmp in php.ini to restrict PHP to only those directories — it prevents path traversal attacks from escaping the webroot even if your code has an LFI vulnerability

📦 Applies To

PHP 4.0+ web

🔗 Prerequisites

Local File Inclusion (LFI) php.ini Security Settings Linux File Permissions

🔍 Detection Hints

open_basedir not set; PHP accessing files outside webroot via path traversal; include/require with user-controlled paths

Auto-detectable: ✓ Yes lynis phpinfo semgrep

⚠ Related Problems

Local File Inclusion (LFI) Path Traversal php.ini Security Settings

🤖 AI Agent

Confidence: Medium False Positives: Low ✓ Auto-fixable Fix: Low Context: Line

CWE-22