PHP Open_basedir Insurance and performance trade-offs

Source: Internet
Author: User
PHP Open_basedir Security and performance tradeoffs

Open_basedir severely affects PHP I/O performance


This is an article that I saw yesterday, after reading, I have done a bit of testing for the server and so on, indeed has the influence. After all, open_basedir in every time Require,include and judge the file, etc., must first determine whether in the executable directory. So... Performance will drop (if the frame, may be more than the performance will be less), if it is your own machine, you can usually set the file directory permissions, to prevent this situation "Linux can specify users, user groups." Windows can set the owner of the directory (at that time I was most annoyed with this, because I need to add a user for each virtual host, then specify the permissions, and then set the user on the directory) "

Here's what I see in the article:

Today, when I was doing the project, it took 0.04 seconds to find a few lines of statements.

It surprised me a great surprise. followed by a follow-up to know when I/O Read and write the most time a is_file actually took 0.003 seconds

Later, I was baffled by Google and there was no answer to it.

Then I put the project on another computer and found that the speed straight up from the previous 0.04 seconds into about 0.007 seconds.

I wonder if my laptop is so lame.

After my comparison I found that the Open_basedir was set up in the virtual host of this project on my machine.

Everyone knows this is essential for a virtual host.

But then I tested it again.

My test code is very simple:

PHP code
$time = Microtime (true);???
02.is_file (' 1.html ');???
03.echo Microtime (True)-$time;???

I got an empty 1.html file. This file is absolutely present in the current directory.

I created a new virtual host and set up a open_basedir.

The result is about 0.0018570423126221.

And then I went into Apache config file and removed the Open_basedir.

The result is 5.0067901611328E-5 the result is smaller than the decimal point in PHP can not represent the

(Note: The results above are the result of running the cache multiple times because the results of the is_file are cached)

Now I finally understand why the performance of I/O in the Web-hosting probes is so small.

Cup with AH.


You can also test: Measured so.


----------------------
Cancel the setting, or: /:./:/tmp:.. /.. /?
----------------------

?

The following is the original description in php.ini and the default configuration:
; Open_basedir, if set, limits all file operations to the defined directory
; and below. This directive makes more sense if used in a per-directory or
; Per-virtualhost Web server configuration file. This directive is
; *not* affected by whether Safe Mode was turned on or Off.
Open_basedir =.
Open_basedir can limit the active scope of user access files to the specified area, usually the path of their home directory, or
Available symbols "." To represent the current directory. Note that the limit specified with Open_basedir is actually a prefix, not a directory name.
For example: if "Open_basedir =/dir/user", then the directory "/dir/user" and "/dir/user1" are
You can access the. So if you want to restrict access to only the specified directory, end the path name with a slash. For example, set to:
"Open_basedir =/dir/user/"

Open_basedir can also set up multiple directories at the same time, separate directories in Windows with semicolons, and in any other system
Colon-delimited directory. When it acts on the Apache module, the Open_basedir path in the parent directory is automatically inherited.

There are three ways to make a separate setting for a specified user in Apache:

(a) The appropriate Setup method for the directory in Apache httpd.conf:

Php_admin_value open_basedir/usr/local/apache/htdocs/
#设置多个目录可以参考如下:
Php_admin_value open_basedir/usr/local/apache/htdocs/:/tmp/


(b) The corresponding setup method for VirtualHost in Apache httpd.conf:
Php_admin_value open_basedir/usr/local/apache/htdocs/
#设置多个目录可以参考如下:
Php_admin_value open_basedir/var/www/html/:/var/tmp/

(c) Since Open_basedir is set in VirtualHost, this virtual user will no longer automatically inherit php.ini
Open_basedir setting values, it is difficult to achieve flexible configuration measures, so we recommend that you do not virtualhost
This limit is set in the. For example, you can set Open_basedir = in php.ini.:/ tmp/, this setting means allowing
Access the current directory (that is, the directory where the php script files are located) and the/tmp/directory.

Please note: If the upload file temp directory set in php.ini is/tmp/, then setting Open_basedir must be
Include/tmp/, which will cause the upload to fail. The new PHP will prompt "Open_basedir restriction in effect"
Warning message, but the Move_uploaded_file () function can still successfully remove the upload file from the/tmp/directory without knowing
This is a bug or a new feature.

Configuration for the ShopEx472 version:

Open_basedir = "D:/server; /catalog, .... /include, .... /.. Home/home;.. /syssite, .... /templates, .... /language, .... /.. /language, .... /.. /.. /language, .... /.. /.. /.. /language "

The security and performance of the website seems to be the relationship between spear and shield. For a PHP site, especially difficult to choose . The simplest example: thePHP configuration file open_basedir restricts the files that PHP can open to the specified directory tree, including the file itself. Originally this is very advantageous to the website security, but according to the author from the net obtains the data to see, Open_basedir will have the very big influence to the PHP operation IO performance. The research data show that the script io configured with Php_basedir is 10 times times slower or more than it is not configured!

?

At first, I didn't really believe the result, but the test data persuaded me to admit it.

To create a simple script:

?

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

function microtime_float()

{

????list($usec, $sec) = explode(" ", microtime());

????return ((float)$usec + (float)$sec);

}

??

$time_start = microtime_float();

??

is_file('1.html');? //判断当前目录是否有1.html这个文件

$time_end = microtime_float();

$time = $time_end - $time_start;

??

echo "Did is_file in $time seconds\n";

?>

Test results for Open_basedir
0.0006/5.0e-5
The gap is quite large, but smart friends should note that the author of the site configuration Open_basedir, relative to this loss of performance, I would rather choose to sacrifice performance, in exchange for security, your choice? Do not guess, you may and my choice is consistent ~ after all, server security is more important.

Tip: How to configure Open_basedir
When a script tries to open a file with an example of fopen () or Gzopen (), the location of the file is checked. When the file is outside the specified directory tree, PHP will refuse to open it. All symbolic connections are parsed, so it is not possible to circumvent this restriction by symbolic connections.

Special values. Indicates that the working directory of the script will be used as the base directory. But this is a bit risky because the working directory of the script can easily be changed by ChDir ().

In the httpd.conf file, Open_basedir can be turned off, like any other configuration option, with "Php_admin_value open_basedir none" (for example, in some virtual hosts).

In Windows, separate the directories with semicolons. Separate the directories with colons in any other system. As an Apache module, the Open_basedir path in the parent directory is automatically inherited.

The limit specified with Open_basedir is actually a prefix, not a directory name. This means "Open_basedir =/dir/incl" also allows access to "/dir/include" and "/dir/incls" if they exist. If you want to restrict access to only the specified directory, end the path name with a slash. For example: "Open_basedir =/dir/incl/".

?

?

?

?

?

?

?

  • Contact Us

    The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

    If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

    A Free Trial That Lets You Build Big!

    Start building with 50+ products and up to 12 months usage for Elastic Compute Service

    • Sales Support

      1 on 1 presale consultation

    • After-Sales Support

      24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.