Skip to content

Extend documentation for open_basedir #5644

Description

@thomas-0816

Affected page

https://www.php.net/manual/en/ini.core.php#ini.open-basedir

Issue description

Limit the files that can be accessed by PHP to the specified directory-tree, including the file itself.

This is in general true for files, but does not apply to unix-sockets.

I'd recommend to add a warning that open_basedir is not blocking access to unix-sockets.

Here is some example code to connect to the docker socket /var/run/docker.sock:

<?php

function listDockerContainers(): array
{
    $socketPath = 'unix:///var/run/docker.sock';
    $socket = stream_socket_client($socketPath, $errno, $errstr, 5);
    if (!$socket) {
        throw new RuntimeException("Failed to connect: $errstr ($errno)");
    }
    fwrite($socket, "GET /containers/json?all=true HTTP/1.1\r\nHost: localhost\r\nConnection: close\r\n\r\n");
    $response = stream_get_contents($socket);
    fclose($socket);
    $parts = explode("\r\n\r\n", $response, 2);
    $headers = $parts[0];
    $body = $parts[1] ?? '';
    // Decode chunked transfer encoding
    if (stripos($headers, 'Transfer-Encoding: chunked') !== false) {
        $decoded = '';
        $pos = 0;
        $len = strlen($body);
        while ($pos < $len) {
            $end = strpos($body, "\r\n", $pos);
            if ($end === false) break;
            $chunkSize = hexdec(substr($body, $pos, $end - $pos));
            if ($chunkSize === 0) break;
            $pos = $end + 2;
            $decoded .= substr($body, $pos, $chunkSize);
            $pos += $chunkSize + 2;
        }
        $body = $decoded;
    }
    $containers = json_decode($body, true);
    if (json_last_error() !== JSON_ERROR_NONE) {
        throw new RuntimeException('Failed to parse Docker response: ' . json_last_error_msg());
    }
    return $containers;
}
try {
    $containers = listDockerContainers();
    if (empty($containers)) {
        echo "No containers found.\n";
        exit(0);
    }
    printf("%-40s %-30s %-15s %s\n", 'Container ID', 'Image', 'Status', 'Names');
    echo str_repeat('-', 100) . "\n";
    foreach ($containers as $container) {
        $id = substr($container['Id'], 0, 12);
        $image = $container['Image'];
        $status = $container['State'];
        $name = ltrim($container['Names'][0] ?? '', '/');
        printf("%-40s %-30s %-15s %s\n", $id, $image, $status, $name);
    }
} catch (Exception $e) {
    echo 'Error: ' . $e->getMessage() . "\n";
    exit(1);
}

example run:

php -dopen_basedir=/tmp test2.php
Container ID                             Image                          Status          Names
----------------------------------------------------------------------------------------------------
388e1fecc5c9                             cgr.dev/chainguard/wolfi-base  exited          dreamy_ramanujan
5eb853c69f34                             scripts-llamacpp-wasm-builder  exited          llamacpp-wasm-builder

(instead of listing containers, you can also start a new container with mount-bind of a directory and bypass open_basedir)

Steps to reproduce

No response

Suggested fix

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugDocumentation contains incorrect information

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions