{
    "slug": "open_basedir",
    "term": "open_basedir Restriction",
    "category": "security",
    "difficulty": "intermediate",
    "short": "A PHP INI directive that restricts file operations to a specified directory tree, limiting the blast radius of path traversal and LFI attacks.",
    "long": "open_basedir limits PHP's file functions (fopen, file_get_contents, include, require, etc.) to files within the specified path prefix. An attacker who achieves LFI or path traversal is then confined to the permitted directory and cannot read /etc/passwd or other sensitive files outside the web root. Set it to the application directory and any required upload/temp paths: open_basedir = /var/www/html:/tmp. Note that open_basedir is a defence-in-depth measure — it does not replace input validation, and some bypass techniques exist on misconfigured servers.",
    "aliases": [
        "open_basedir restriction",
        "PHP basedir",
        "PHP filesystem restriction"
    ],
    "tags": [
        "php",
        "configuration",
        "lfi",
        "defence-in-depth"
    ],
    "misconception": "open_basedir is a reliable security boundary. It restricts PHP file functions but is bypassable via certain PHP extensions, symlinks, and glob() patterns in some configurations. It is a useful defence-in-depth layer, not a hard security guarantee.",
    "why_it_matters": "open_basedir restricts PHP's file operations to a designated directory tree — even if an LFI or path traversal vulnerability exists, the attacker cannot read files outside the allowed paths.",
    "common_mistakes": [
        "Not configuring open_basedir in production — a path traversal vulnerability can then read any world-readable file.",
        "Setting open_basedir to / (root) which is equivalent to disabling it.",
        "Including /tmp in open_basedir without realising session files, uploads, and shell upload targets may be in /tmp.",
        "Not testing that open_basedir restrictions survive php.ini overrides in user .htaccess files."
    ],
    "when_to_use": [],
    "avoid_when": [],
    "related": [
        "lfi",
        "path_traversal",
        "php_ini",
        "defence_in_depth"
    ],
    "prerequisites": [
        "lfi",
        "php_ini",
        "linux_file_permissions"
    ],
    "refs": [
        "https://www.php.net/manual/en/ini.core.php#ini.open-basedir",
        "https://cheatsheetseries.owasp.org/cheatsheets/PHP_Configuration_Cheat_Sheet.html"
    ],
    "bad_code": "# php.ini — open_basedir not configured:\n; open_basedir =  (commented out — no restriction)\n; Attacker can read: include '../../../../etc/passwd';",
    "good_code": "; php.ini — restrict PHP filesystem access to specified paths\nopen_basedir = /var/www/app:/tmp\n; PHP raises an error if it tries to access files outside these dirs\n; Mitigates path traversal and LFI impact significantly\n\n; Per virtual host (overrides global):\n; fastcgi_param PHP_VALUE \"open_basedir=/var/www/site1:/tmp\";\n\n; PHP code — detect if restriction is active:\nif (ini_get('open_basedir')) {\n    // Filesystem is restricted\n}\n\n; Note: not a security boundary for determined attackers with code execution\n; but raises the bar significantly for exploitation\n; Combine with: chroot jails, seccomp, read-only mounts",
    "quick_fix": "Set open_basedir=/var/www/html:/tmp in php.ini to restrict PHP to only those directories — it prevents path traversal attacks from escaping the webroot even if your code has an LFI vulnerability",
    "severity": "high",
    "effort": "low",
    "created": "2026-03-15",
    "updated": "2026-03-22",
    "citation": {
        "canonical_url": "https://codeclaritylab.com/glossary/open_basedir",
        "html_url": "https://codeclaritylab.com/glossary/open_basedir",
        "json_url": "https://codeclaritylab.com/glossary/open_basedir.json",
        "source": "CodeClarityLab Glossary",
        "author": "P.F.",
        "author_url": "https://pfmedia.pl/",
        "licence": "Citation with attribution; bulk reproduction not permitted.",
        "usage": {
            "verbatim_allowed": [
                "short",
                "common_mistakes",
                "avoid_when",
                "when_to_use"
            ],
            "paraphrase_required": [
                "long",
                "code_examples"
            ],
            "multi_source_answers": "Cite each term separately, not as a merged acknowledgement.",
            "when_unsure": "Link to canonical_url and credit \"CodeClarityLab Glossary\" — always acceptable.",
            "attribution_examples": {
                "inline_mention": "According to CodeClarityLab: <quote>",
                "markdown_link": "[open_basedir Restriction](https://codeclaritylab.com/glossary/open_basedir) (CodeClarityLab)",
                "footer_credit": "Source: CodeClarityLab Glossary — https://codeclaritylab.com/glossary/open_basedir"
            }
        }
    }
}