← Back to glossary

open_basedir Restriction

security CWE-22 OWASP A5:2021 PHP 4.0+ Intermediate

Also Known As

open_basedir restriction PHP basedir PHP filesystem restriction

TL;DR

A PHP INI directive that restricts file operations to a specified directory tree, limiting the blast radius of path traversal and LFI attacks.

Explanation

open_basedir limits PHP's file functions (fopen, file_get_contents, include, require, etc.) to files within the specified path prefix. An attacker who achieves LFI or path traversal is then confined to the permitted directory and cannot read /etc/passwd or other sensitive files outside the web root. Set it to the application directory and any required upload/temp paths: open_basedir = /var/www/html:/tmp. Note that open_basedir is a defence-in-depth measure — it does not replace input validation, and some bypass techniques exist on misconfigured servers.

Common Misconception

✗ open_basedir is a reliable security boundary. It restricts PHP file functions but is bypassable via certain PHP extensions, symlinks, and glob() patterns in some configurations. It is a useful defence-in-depth layer, not a hard security guarantee.

Why It Matters

open_basedir restricts PHP's file operations to a designated directory tree — even if an LFI or path traversal vulnerability exists, the attacker cannot read files outside the allowed paths.

Common Mistakes

Not configuring open_basedir in production — a path traversal vulnerability can then read any world-readable file.
Setting open_basedir to / (root) which is equivalent to disabling it.
Including /tmp in open_basedir without realising session files, uploads, and shell upload targets may be in /tmp.
Not testing that open_basedir restrictions survive php.ini overrides in user .htaccess files.

Code Examples

✗ Vulnerable

# php.ini — open_basedir not configured:
; open_basedir =  (commented out — no restriction)
; Attacker can read: include '../../../../etc/passwd';

✓ Fixed

; php.ini — restrict PHP filesystem access to specified paths
open_basedir = /var/www/app:/tmp
; PHP raises an error if it tries to access files outside these dirs
; Mitigates path traversal and LFI impact significantly

; Per virtual host (overrides global):
; fastcgi_param PHP_VALUE "open_basedir=/var/www/site1:/tmp";

; PHP code — detect if restriction is active:
if (ini_get('open_basedir')) {
    // Filesystem is restricted
}

; Note: not a security boundary for determined attackers with code execution
; but raises the bar significantly for exploitation
; Combine with: chroot jails, seccomp, read-only mounts

References

Tags

Added 15 Mar 2026

Edited 22 Mar 2026

Curated in Warsaw under one editorial standard. 1,445 terms, single voice. About this reference →

Rate this term

No ratings yet

🤖 AI Guestbook educational data only

| |

Last 30 days

Agents 0

No pings yet today

No pings yesterday

Amazonbot 8 Perplexity 6 Google 2 Unknown AI 2 Ahrefs 2 ChatGPT 2 Majestic 1 SEMrush 1

Also referenced

php.ini Security Settings 43 Defence in Depth 31 Local File Inclusion (LFI) 30 Path Traversal 27

How they use it

crawler 21 crawler_json 2 pre-tracking 1

Related categories

php 6.6k security 4.2k general 1.5k

⚡ DEV INTEL Tools & Severity

🟠 High ⚙ Fix effort: Low

⚡ Quick Fix

Set open_basedir=/var/www/html:/tmp in php.ini to restrict PHP to only those directories — it prevents path traversal attacks from escaping the webroot even if your code has an LFI vulnerability

📦 Applies To

PHP 4.0+ web

🔗 Prerequisites

Local File Inclusion (LFI) php.ini Security Settings Linux File Permissions

🔍 Detection Hints

open_basedir not set; PHP accessing files outside webroot via path traversal; include/require with user-controlled paths

Auto-detectable: ✓ Yes lynis phpinfo semgrep

⚠ Related Problems

Local File Inclusion (LFI) Path Traversal php.ini Security Settings

🤖 AI Agent

Confidence: Medium False Positives: Low ✓ Auto-fixable Fix: Low Context: Line

CWE-22