Why use open_basedir with PHP as FastCGI on IIS?

Question

I've seen several tutorials explaining PHP installation under IIS as FastCGI recommending to set open_basedir to point to the folder or network path where the content of the Web site(s) is located.

When I set open_basedir on my application server, the following error showed up when managing files: Warning: open_basedir restriction in effect. File(C:\Windows\Temp\php92E7.tmp) is not within the allowed path(s): (C:\inetpub\wwwroot)

I understand I can set a temp directory under inetpub, but I don't see why is it a problem to use windows\temp.

Is there any safety flaw with PHP as FastCGI on IIS the demands open_basedir restrictions? If not, why is it recommended? Or is it not necessary? Is it possible to get open_basedir advantages using AppPool Identity with correct Permissions?

Answer 1

Setting open_basedir (not only on Windows with IIS but with any platform on any web server) is a security measure to restrict what files your application can read, write, and include.

It is not really a security flaw that PHP can include any file with PHP code from anywhere in the file system, but it is a feature. You may, for example, have some files on the web root, and other files out of the web root (they won't be accessible by the web server but they will be accessible by PHP).

However, if you have a flaw in your program, your users may be able to read or include (or even write) files which are not part of your application. Those may be system files, user-uploaded files or other application's files. That's why open_basedir is important.

As a note, after setting open_basedir, set also the paths for other PHP functions (for example, upload_tmp_dir) as they should be also under the open_basedir path.