Disable PHP's open.base_dir restriction by default
Every configured hosting/website gets their proper own user with their own permissions. If you run your website with the PHP-FPM handler, the processes properly run with this very user.
Why is there still open.base_dir restrictions applied by default? I don't really see the point.
Why am I asking? Enabling open.basedir has a massively (!) negative impact on performance. PHP's internal realpath cache is automatically disabled when open.basedir is activated which slows down all the file operation calls tremendously.
As the user permissions are properly set up, this is imho a missed opportunity for free performance gains.
Sources:
- Does that setting disable the realpath cache? See https://www.php.net/manual/en/ini.core.php#ini.open-basedir
- Why is the realpath cache disabled when open.base_dir is activated? https://bugs.php.net/bug.php?id=53263
- Why is open.base_dir not meant to be used as a security feature anyway? https://www.php.net/security-note.php
Yanick
shared this idea
Plesk acknowledges that there has been a discussion in the PHP community to remove open_basedir from newer PHP versions, but even PHP developers came to the conclusion that it should not be removed. Yes, there are performance impacts, but with all types of security software like network filters, e.g. iptables (and Fail2Ban log analyzer), ModSecurity and antivirus solutions this is just normal and expected. Plesk puts security first, and if there are options to make a site more secure, we'll always prefer these options. open_basedir may not be the best security feature, but it adds some security. This request has not gained much popularity during the past years either. For these reasons we must decline it.
-- PD