Open_basedir

[Russ]

I have been reading up on security for Gallery2 (Gallery2 Security Discussion). It suggests that there is a security issue if open_basedir has no value. I note that the for TotalChoice, the open_basedir has a "Local Value," but no "Master Value." Which are they referring to in the following snippet?

 

If your PHP is run as mod_php (generic user for all scripts), then your only hope is that PHP open_basedir (see info.php) is set restrictive enough. PHP open_basedir should be set such that your g2data folder and your gallery2 folder are in this path but no other account should be in the account. If your PHP Server API is Apache and open_basedir is empty (no value), then talk to your webhost, this is a large security risk. There's no way to secure your Gallery 2 (unless you have a dedicated server, that is, a server that is dedicated only for you and no other customer).

 

Thanks in advance for any help - sorry if this is a dumb question!

 

Russ

[TweezerMan]

The column you're interested in is the "Local Value" column:

 

- The "Master Value" column contains the settings that are globally set for all PHP scripts across the entire server by the server's php.ini file.

 

- The "Local Value" column contains the settings that are currently in effect for your PHP script. The "Local Value" settings may be different from the "Master Value" settings due to PHP directives in the web server's configuration file (which is most likely where the open_basedir directive is set for your TCH account), .htaccess directives, or ini_set calls in a PHP script. These are all applied after PHP has read the php.ini file.

 

Since there a value for open_basedir in the "Local Value" column, you're okay on this issue.