When you set PHP's open_basedir restriction, PHP will deactivate the realpath cache.
This will decrease the performance of any PHP application which uses
multiple files (
require_once) like WordPress,
Drupal and Magento -- just to mention a few.
The decision to deactivate the realpath cache when using open_basedir (and the previous safe_mode) restriction was made when the PHP team fixed CVE-2006-5178. Please see PHP's bug report 52312 for further information.
The realpath_turbo PHP extension, created by Artur Graniszewski, is a workaround:
Instead of setting
open_basediryou will set
open_basedirisn't set, PHP will not deactivate the realpath cache.
When the realpath_turbo extension will be loaded, it will set the
open_basedirrestriction, which won't deactivate the realpath cache which will happen if you set the
open_basedirrestriction in your
Download the realpath_turbo source code.
Extract and compile the extension
$ tar -xaf realpath_turbo* $ cd realpath_turbo* $ phpize $ ./configure $ make $ make test NO_INTERACTION=1 # make install
php.inito load and configure realpath_turbo extension.
; you have to load the extension first extension=realpath_turbo.so ; Disable dangerous functions (see the warning in the README file for ; details). ; Possible values: ; 0 - Ignore potential security issues ; 1 - Disable dangerous PHP functions (link,symlink) realpath_turbo.disable_dangerous_functions = 1 ; Set realpath_turbo.open_basedir to whatever you want to set open_basedir to realpath_turbo.open_basedir = "/var/www/html/drupal:/usr/share/php" ; Disable PHP's open_basedir directive so that the realpath cache won't be ; disabled. ; Remember, realpath_turbo will set this option later to the ; realpath_turbo.open_basedir value. open_basedir = ""
It is very important to deactivate any PHP function which can be used
to create/manipulate symlinks. If you don't do that, any attacker could
create or manipulate a symlink to bypass the
But even if you have disabled those functions in PHP you still maybe at risk: If you allow your users to create symlinks because they have shell access, they could do the same.
So it is more than just PHP you have to take care of when you rely on
open_basedir restriction and want to use realpath_turbo.
Therefore realpath_turbo is not recommended for any shared hosting
environment. Instead of relying on
open_basedir, you should create VMs or
use containers (LXC) to safely separate your users without any performance
See http://www.php.net/security-note.php for more information.